Return-Path: X-Original-To: apmail-aurora-dev-archive@minotaur.apache.org Delivered-To: apmail-aurora-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5033611E00 for ; Wed, 30 Jul 2014 16:10:42 +0000 (UTC) Received: (qmail 51763 invoked by uid 500); 30 Jul 2014 16:10:42 -0000 Delivered-To: apmail-aurora-dev-archive@aurora.apache.org Received: (qmail 51566 invoked by uid 500); 30 Jul 2014 16:10:42 -0000 Mailing-List: contact dev-help@aurora.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@aurora.incubator.apache.org Delivered-To: mailing list dev@aurora.incubator.apache.org Received: (qmail 51551 invoked by uid 99); 30 Jul 2014 16:10:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 16:10:41 +0000 X-ASF-Spam-Status: No, hits=-1998.4 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 30 Jul 2014 16:10:43 +0000 Received: (qmail 51395 invoked by uid 99); 30 Jul 2014 16:10:16 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 16:10:16 +0000 Received: from localhost (HELO mail-we0-f169.google.com) (127.0.0.1) (smtp-auth username kevints, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 16:10:16 +0000 Received: by mail-we0-f169.google.com with SMTP id u56so1444070wes.14 for ; Wed, 30 Jul 2014 09:10:13 -0700 (PDT) X-Gm-Message-State: ALoCoQntkxA+kvj4uPAjaogJcghBJvKXpFgWbdRZ2VI2CnIiDBFBl11zb5DeCLpZ0j72JJZBegCo MIME-Version: 1.0 X-Received: by 10.180.214.103 with SMTP id nz7mr2470990wic.0.1406736613236; Wed, 30 Jul 2014 09:10:13 -0700 (PDT) Received: by 10.216.113.74 with HTTP; Wed, 30 Jul 2014 09:10:13 -0700 (PDT) Date: Wed, 30 Jul 2014 09:10:13 -0700 Message-ID: Subject: [DISCUSS] Build security From: Kevin Sweeney To: Aurora Content-Type: multipart/alternative; boundary=001a1135f6101ff71704ff6b6436 X-Virus-Checked: Checked by ClamAV on apache.org --001a1135f6101ff71704ff6b6436 Content-Type: text/plain; charset=UTF-8 Hi all, Recently in the news there has been a lot of controversy regarding Maven Central's lack of HTTPS support (without a donation for an access key which isn't redistributable, see [1], [2], [3] for context). While Sonatype plans to deploy HTTPS for all fix it there is an exploit tool in the wild. JCenter is an alternate Maven Central mirror that contains the dependencies we currently get from Maven Central. It allows free HTTPS access. I propose we immediately accept my patch [4] to switch to JCenter over HTTPS, buying us an immediate mitigation to the exploit tool in the wild. Longer-term we can switch to checksum-pinning our dependencies [5], which will allow us to use any Maven mirror as long as we trust our git origin servers and committers. Though it wasn't called out in the press, our Python dependencies are probably vulnerable to a similar issue and I've filed an issue [6] to investigate checksum-pinning there too. Please discuss, and if you agree please give a shipit to my review. Thanks, Kevin [1] http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ [2] http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/#.U9kVOnVdXmE [3] https://twitter.com/bintray/status/494129921363824640 [4] https://reviews.apache.org/r/24063/ [5] https://issues.apache.org/jira/browse/AURORA-616 [6] https://issues.apache.org/jira/browse/AURORA-618 --001a1135f6101ff71704ff6b6436--