Return-Path: X-Original-To: apmail-aurora-dev-archive@minotaur.apache.org Delivered-To: apmail-aurora-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ABC8011E28 for ; Wed, 30 Jul 2014 16:12:43 +0000 (UTC) Received: (qmail 59338 invoked by uid 500); 30 Jul 2014 16:12:43 -0000 Delivered-To: apmail-aurora-dev-archive@aurora.apache.org Received: (qmail 59285 invoked by uid 500); 30 Jul 2014 16:12:43 -0000 Mailing-List: contact dev-help@aurora.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@aurora.incubator.apache.org Delivered-To: mailing list dev@aurora.incubator.apache.org Received: (qmail 59274 invoked by uid 99); 30 Jul 2014 16:12:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 16:12:43 +0000 X-ASF-Spam-Status: No, hits=-1998.4 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 30 Jul 2014 16:12:42 +0000 Received: (qmail 57768 invoked by uid 99); 30 Jul 2014 16:12:21 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 16:12:21 +0000 Received: from localhost (HELO mail-pd0-f169.google.com) (127.0.0.1) (smtp-auth username mchucarroll, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 16:12:21 +0000 Received: by mail-pd0-f169.google.com with SMTP id y10so1707882pdj.0 for ; Wed, 30 Jul 2014 09:12:21 -0700 (PDT) X-Gm-Message-State: ALoCoQnfR18Pk33PpSkIq1p5HOlNBdDPwyDGqQOe+6TKRBV6IDZdVotQ4swQcwz+q1QUwWW9FLGu MIME-Version: 1.0 X-Received: by 10.70.103.45 with SMTP id ft13mr5986991pdb.152.1406736741264; Wed, 30 Jul 2014 09:12:21 -0700 (PDT) Received: by 10.66.168.145 with HTTP; Wed, 30 Jul 2014 09:12:21 -0700 (PDT) In-Reply-To: References: Date: Wed, 30 Jul 2014 12:12:21 -0400 Message-ID: Subject: Re: [DISCUSS] Build security From: Mark Chu-Carroll To: dev@aurora.incubator.apache.org Content-Type: multipart/alternative; boundary=001a11c337f6c1b44604ff6b6b56 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c337f6c1b44604ff6b6b56 Content-Type: text/plain; charset=UTF-8 +1 On Wed, Jul 30, 2014 at 12:10 PM, Kevin Sweeney wrote: > Hi all, > > Recently in the news there has been a lot of controversy regarding Maven > Central's lack of HTTPS support (without a donation for an access key which > isn't redistributable, see [1], [2], [3] for context). While Sonatype plans > to deploy HTTPS for all fix it there is an exploit tool in the wild. > JCenter is an alternate Maven Central mirror that contains the dependencies > we currently get from Maven Central. It allows free HTTPS access. > > I propose we immediately accept my patch [4] to switch to JCenter over > HTTPS, buying us an immediate mitigation to the exploit tool in the wild. > Longer-term we can switch to checksum-pinning our dependencies [5], which > will allow us to use any Maven mirror as long as we trust our git origin > servers and committers. > > Though it wasn't called out in the press, our Python dependencies are > probably vulnerable to a similar issue and I've filed an issue [6] to > investigate checksum-pinning there too. > > Please discuss, and if you agree please give a shipit to my review. > > Thanks, > Kevin > > [1] > > http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ > [2] > http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/#.U9kVOnVdXmE > [3] https://twitter.com/bintray/status/494129921363824640 > [4] https://reviews.apache.org/r/24063/ > [5] https://issues.apache.org/jira/browse/AURORA-616 > [6] https://issues.apache.org/jira/browse/AURORA-618 > --001a11c337f6c1b44604ff6b6b56--