maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rannaud <eric.rann...@gmail.com>
Subject HTTPS for repo1.maven.org
Date Sat, 13 Aug 2011 01:55:56 GMT
Hi,

I raised http://jira.codehaus.org/browse/MNG-5154 asking if HTTPS
should be available and required to access repo1.maven.org. It was
closed without comments, maybe because this is not a bug with Maven
per se.

http://jira.codehaus.org/browse/MNG-2477 was raised 3 years ago, and
it appears that only part of its goal has been achieved. Artifacts are
routinely signed when deployed, indeed it is a requirement to publish
on major Maven repos.

However, as far as I can tell, if I'm a conscientious developer
building Apache Thrift, say, on a modern distro:

  wget http://mirror.csclub.uwaterloo.ca/apache//thrift/0.6.1/thrift-0.6.1.tar.gz
  wget http://www.apache.org/dist/thrift/0.6.1/thrift-0.6.1.tar.gz.asc
  gpg --verify thrift-0.6.1.tar.gz.asc
  ./configure && make
  ...
mvn.ant.tasks.download:
      [get] Getting:
http://repo1.maven.org/maven2/org/apache/maven/maven-ant-tasks/2.1.3/maven-ant-tasks-2.1.3.jar
      [get] To:
/home/e/third/thrift/lib/java/build/tools/maven-ant-tasks-2.1.3.jar
mvn.init:
[artifact:dependencies] [WARNING] Overriding profile:
'maven-ant-tasks-repo-profile' (source: pom) with new instance from
source: pom
[artifact:dependencies] Downloading:
org/slf4j/slf4j-api/1.5.8/slf4j-api-1.5.8.pom from repository central
at http://repo1.maven.org/maven2
[artifact:dependencies] Downloading:
org/slf4j/slf4j-parent/1.5.8/slf4j-parent-1.5.8.pom from repository
central at http://repo1.maven.org/maven2
[artifact:dependencies] Downloading:
org/slf4j/slf4j-log4j12/1.5.8/slf4j-log4j12-1.5.8.pom from repository
central at http://repo1.maven.org/maven2
  ...

I would have thought that I had done the right thing by verifying the
signature on thrift, that I was likely running official code. But
without any warning, I just downloaded a bunch of unauthenticated
JARs, and the build will happily execute their contents without any
further validation. I don't even get a chance to retrieve the
signatures that *are* on the server and check them by hand.

>From what I can understand, the only way to ensure all artifact
signatures are checked when using an ant rule such as
mvn.ant.tasks.download is to already be aware of this gotcha and to
install and configure a local repository manager such as Nexus
Professional (is that available in the OSS version?), making sure that
I have some kind of proxy set up to intercepts the connection attempt
to repo1.maven.org, and then I can build Thrift.

In other words, if I'm a little oblivious to how Maven approaches
security, and artifacts integrity, I'm screwed.

This is not really a problem with Thrift per se. Any other software
using Maven rules to retrieve dependencies and then relying on these
for running tests, say, as part of a build will put their users at
risk.

MNG-2477 describes an architecture that would be secure by default,
but my understanding is that this is not yet available.

As a stopgap measure, it would go a long way toward offering some
level of reassurance that downloaded artifacts are authentic if the
central repository would only deliver artifacts over HTTPS,
redirecting HTTP requests to HTTPS with a 301/302 for backward
compatibility. Right now, repo1.maven.org is not even available over
HTTPS.

Thanks,
Eric.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message