You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Jonathan Leitschuh (JIRA)" <ji...@apache.org> on 2019/06/10 13:41:00 UTC

[jira] [Updated] (MNG-6673) Deprecate HTTP Download & Upload

     [ https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jonathan Leitschuh updated MNG-6673:
------------------------------------
    Summary: Deprecate HTTP Download & Upload  (was: Deprecate http Download & Upload)

> Deprecate HTTP Download & Upload
> --------------------------------
>
>                 Key: MNG-6673
>                 URL: https://issues.apache.org/jira/browse/MNG-6673
>             Project: Maven
>          Issue Type: Improvement
>          Components: Deployment
>            Reporter: Jonathan Leitschuh
>            Priority: Major
>
> Some of the most popular Java projects in the JVM ecosystem are vulnerable to a MITM of their dependencies. This is something that build tools can help prevent.
> Starting in the next release of Maven, Maven should begin warning users about the use of HTTP to download/upload artifacts to/from artifact servers.
> I believe that Maven/Gradle/SBT should require users to opt-out of the security offered by using HTTPS to download/upload artifacts.
> Here's a list of projects that were found to be vulnerable to this:
> [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
> This issue will be updated later today to link to the public disclosure of this industry-wide vulnerability.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)