maven-repo-maintainers mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Fox <>
Subject Securing Central
Date Fri, 15 Oct 2010 15:51:49 GMT
As you know, Maven Central has become an increasingly important
resource for the development community at large. We've put several
efforts forward earlier this year to help improve the content quality
and to reduce the time required to get artifacts into the repository.
These have matured over time and are now automatically validating
artifacts. These processes are documented at [1] and [2]

Earlier this year, we stopped accepting new feeds via Rsync and
Svn[3]. The current rsyncs and svn imports will be maintained through
the end of the year, at which point they will be disabled. Please look
to migrate your projects to an approved forge[1].

We're at over 120gb worth of open source artifacts and metadata. As
the popularity and amount of content increases, so does the incentive
for attacking the system and pollute the contents.

Over recent months, scanning and other attempts at intrusion have
increased to an unacceptable level. This, combined with the fact that
the process for managing inbound data is external to Central, we have
decided to take some steps to secure the systems. We now have a
staging location hosted on a separate machine where all the artifacts
are collected, analyzed and then pushed to the live system. This
serves to gate the access and allow validation of artifacts before
they hit the public urls. It also means we have a hot backup should
something happen to the primary machine.

In addition to having multiple checkpoints for the artifacts to pass
through, and to further secure the systems from the constant brute
force attempts, we have shut off all external access to the systems,
except for http over port 80.

In addition to securing the systems and data, we have worked with
Contegix to provision two new machines in their UK location. These are
official mirrors of Central and updated at the same rate as repo1. The
public url to access these mirrors will be announced next week. We
anticipate providing additional mirrors in Asia/Australia within the
next 6 months.

We've also created a new Jira project to manage any and all concerns
and issues with Central, the Mirrors, Content, etc[4]



View raw message