maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rannaud <>
Subject HTTPS for
Date Sat, 13 Aug 2011 01:55:56 GMT

I raised asking if HTTPS
should be available and required to access It was
closed without comments, maybe because this is not a bug with Maven
per se. was raised 3 years ago, and
it appears that only part of its goal has been achieved. Artifacts are
routinely signed when deployed, indeed it is a requirement to publish
on major Maven repos.

However, as far as I can tell, if I'm a conscientious developer
building Apache Thrift, say, on a modern distro:

  gpg --verify thrift-0.6.1.tar.gz.asc
  ./configure && make
      [get] Getting:
      [get] To:
[artifact:dependencies] [WARNING] Overriding profile:
'maven-ant-tasks-repo-profile' (source: pom) with new instance from
source: pom
[artifact:dependencies] Downloading:
org/slf4j/slf4j-api/1.5.8/slf4j-api-1.5.8.pom from repository central
[artifact:dependencies] Downloading:
org/slf4j/slf4j-parent/1.5.8/slf4j-parent-1.5.8.pom from repository
central at
[artifact:dependencies] Downloading:
org/slf4j/slf4j-log4j12/1.5.8/slf4j-log4j12-1.5.8.pom from repository
central at

I would have thought that I had done the right thing by verifying the
signature on thrift, that I was likely running official code. But
without any warning, I just downloaded a bunch of unauthenticated
JARs, and the build will happily execute their contents without any
further validation. I don't even get a chance to retrieve the
signatures that *are* on the server and check them by hand.

>From what I can understand, the only way to ensure all artifact
signatures are checked when using an ant rule such as is to already be aware of this gotcha and to
install and configure a local repository manager such as Nexus
Professional (is that available in the OSS version?), making sure that
I have some kind of proxy set up to intercepts the connection attempt
to, and then I can build Thrift.

In other words, if I'm a little oblivious to how Maven approaches
security, and artifacts integrity, I'm screwed.

This is not really a problem with Thrift per se. Any other software
using Maven rules to retrieve dependencies and then relying on these
for running tests, say, as part of a build will put their users at

MNG-2477 describes an architecture that would be secure by default,
but my understanding is that this is not yet available.

As a stopgap measure, it would go a long way toward offering some
level of reassurance that downloaded artifacts are authentic if the
central repository would only deliver artifacts over HTTPS,
redirecting HTTP requests to HTTPS with a 301/302 for backward
compatibility. Right now, is not even available over


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message