You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Herve Boutemy (Jira)" <ji...@apache.org> on 2021/04/17 07:26:00 UTC

[jira] [Issue Comment Deleted] (MNG-7118) Block external HTTP repositories by default

     [ https://issues.apache.org/jira/browse/MNG-7118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Herve Boutemy updated MNG-7118:
-------------------------------
    Comment: was deleted

(was: Build failed in Jenkins: Maven » Maven TLP » maven » maven-3.8.x #3

See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven/job/maven-3.8.x/3/)

> Block external HTTP repositories by default
> -------------------------------------------
>
>                 Key: MNG-7118
>                 URL: https://issues.apache.org/jira/browse/MNG-7118
>             Project: Maven
>          Issue Type: New Feature
>    Affects Versions: 3.6.3
>            Reporter: Herve Boutemy
>            Assignee: Herve Boutemy
>            Priority: Major
>             Fix For: 3.8.1, 4.0.0, 4.0.0-alpha-1
>
>
> Downloading code from external repositories in HTTP is not a best practice: let's block that by default
> Using the 2 previously added features (MNG-7116 mirrorOf external:http:* to select repositories, and MNG-7117 to block the mirror), it can be done by adding a new mirror definition in default settings.xml provided in the Maven distribution:
> {code:xml}
> <settings>
>   <mirrors>
>     <mirror>
>       <id>maven-default-http-blocker</id>
>       <mirrorOf>external:http:*</mirrorOf>
>       <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
>       <url>http://0.0.0.0/</url>
>       <blocked>true</blocked>
>     </mirror>
>   </mirrors>
> </settings>{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)