You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@orc.apache.org by "Yiqun Zhang (Jira)" <ji...@apache.org> on 2021/08/20 02:49:00 UTC

[jira] [Commented] (ORC-894) Fix warning in orc-benchmarks-hive

    [ https://issues.apache.org/jira/browse/ORC-894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401983#comment-17401983 ] 

Yiqun Zhang commented on ORC-894:
---------------------------------

My local environment does not trigger this warning.
https://maven.apache.org/docs/3.8.1/release-notes.html.


{noformat}
Possible Man-In-The-Middle-Attack due to custom repositories using HTTP
More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with <blocked> parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.{noformat}


Maybe it's a high version of maven that's causing the problem.

> Fix warning in orc-benchmarks-hive
> ----------------------------------
>
>                 Key: ORC-894
>                 URL: https://issues.apache.org/jira/browse/ORC-894
>             Project: ORC
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: 1.8.0
>            Reporter: Dongjoon Hyun
>            Priority: Major
>
> {code}
> [INFO] --- maven-assembly-plugin:3.3.0:single (make-assembly) @ orc-benchmarks-hive ---
> [INFO] Reading assembly descriptor: src/assembly/uber.xml
> Downloading from maven-default-http-blocker: http://0.0.0.0/org/apache/felix/maven-bundle-plugin/maven-metadata.xml
> [WARNING] Could not transfer metadata org.apache.felix:maven-bundle-plugin/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): transfer failed for http://0.0.0.0/org/apache/felix/maven-bundle-plugin/maven-metadata.xml
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)