aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Sweeney (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AURORA-620) Consider using JCenter over HTTPS instead of Maven Central
Date Wed, 30 Jul 2014 15:41:39 GMT

    [ https://issues.apache.org/jira/browse/AURORA-620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079391#comment-14079391
] 

Kevin Sweeney commented on AURORA-620:
--------------------------------------

Why wait for Sonatype to deploy a new service now given that there's a patch available for
a more secure method right now that will improve developer security? Longer-term checksum-pinning
our dependencies with gradle-witness and peep buys us more leverage against these type of
MITM attacks (for as long as jar+wheel signing isn't a common thing).

> Consider using JCenter over HTTPS instead of Maven Central
> ----------------------------------------------------------
>
>                 Key: AURORA-620
>                 URL: https://issues.apache.org/jira/browse/AURORA-620
>             Project: Aurora
>          Issue Type: Task
>          Components: Build, Scheduler, Security
>            Reporter: Kevin Sweeney
>            Assignee: Kevin Sweeney
>
> Since there are tools in the wild to MITM Maven Central users, switch to JCenter over
HTTPS.
> See http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
for context.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message