You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Eric Rannaud (JIRA)" <ji...@codehaus.org> on 2011/08/12 04:15:44 UTC

[jira] Created: (MNG-5154) repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS

repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS
------------------------------------------------------------------------------------

                 Key: MNG-5154
                 URL: https://jira.codehaus.org/browse/MNG-5154
             Project: Maven 2 & 3
          Issue Type: Bug
            Reporter: Eric Rannaud


As "Java runs the Internet" (sic), and that "Maven is awesome" (sic again -- these are real quotes, google them), man-in-the-middle attacks that inject bad code in downloaded JARs that are then happily and blindly executed on the machines of the developers that build the software that run the aforementioned Internet without any authentication whatsoever is not a very good idea.

Once upon a time, when Maven was invented, back in 1985, there was an understandable certain "naivete" when it came to such things as security. The world was a happy place where no one tried to own developers machines, because nobody understood, yet, that developers machines are the best way to distribute malware all over the fricking place.

But this is 2011, a year that saw shinny new social networks redirect all HTTP requests to HTTPS from day one, so I'm sure that now is a good time to reconsider.

Thanks.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Closed: (MNG-5154) repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS

Posted by "Benjamin Bentmann (JIRA)" <ji...@codehaus.org>.

     [ https://jira.codehaus.org/browse/MNG-5154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Benjamin Bentmann closed MNG-5154.
----------------------------------

    Resolution: Not A Bug

Please fill this request at https://issues.sonatype.org/browse/MVNCENTRAL.

> repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS
> ------------------------------------------------------------------------------------
>
>                 Key: MNG-5154
>                 URL: https://jira.codehaus.org/browse/MNG-5154
>             Project: Maven 2 & 3
>          Issue Type: Bug
>            Reporter: Eric Rannaud
>
> As "Java runs the Internet" (sic), and that "Maven is awesome" (sic again -- these are real quotes, google them), man-in-the-middle attacks that inject bad code in downloaded JARs that are then happily and blindly executed on the machines of the developers that build the software that run the aforementioned Internet without any authentication whatsoever is not a very good idea.
> Once upon a time, when Maven was invented, back in 1985, there was an understandable certain "naivete" when it came to such things as security. The world was a happy place where no one tried to own developers machines, because nobody understood, yet, that developers machines are the best way to distribute malware all over the fricking place.
> But this is 2011, a year that saw shinny new social networks redirect all HTTP requests to HTTPS from day one, so I'm sure that now is a good time to reconsider.
> Thanks.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira