maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manfred Moser" <manf...@simpligility.com>
Subject Re: Warning when artifacts are downloaded over an insecure channel
Date Fri, 07 Oct 2016 22:49:36 GMT
The aether code is currently absorbed into Maven so you just need to hang tight until thats
done if you want to propose a code change. But its right here to the same team.

And regarding the warning ... such a warning would have to be disabled by default otherwise
it would litter the log for many existing builds causing all sorts of issues. And then I am
not sure it makes much sense. 

But say you go with a warning  you would not want to warn for each download but only for the
first one to avoid excessive logging. So maybe just warn for each specific repository URL
once. 

Manfred

Alexander Kjäll wrote on 2016-10-07 15:42:

> Thats good feedback, I'll investigate the aether code and propose the
> same thing to them.
> 
> I agree that some people might want to have their download unsecure,
> that's why I think that a warning is an appropriate level of
> notification regarding this.
> 
> //Alex
> 
> 2016-10-08 0:16 GMT+02:00 Michael Osipov <michaelo@apache.org>:
>> Am 2016-10-07 um 23:31 schrieb Alexander Kjäll:
>>>
>>> Hi
>>>
>>> I would like to propose that maven issues a warning when an artifacts
>>> gets downloaded over http instead of https.
>>>
>>> The current security model kind of relies on that noone MITM's the
>>> download and replaces the artifact and checksums with something
>>> malicious. That becomes impossible to guarantee when run over a
>>> transport layer that lacks security.
>>>
>>> I have attached a very crude patch that implements this behaviour, but
>>> I'm sure it needs to be reworked before it's ready to be merged.
>>
>>
>> Basically, Aether should handle this, as you might plug other protocols to
>> pull from: SFTP, FTPS, DAVS, etc. Additionally, if this happens in a
>> company, maybe people are quite fine with unsecure only.
>>
>> To sum up: we should wait when Aether transforms to Maven Artifact Resolver.
>>
>> Michael
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message