I liked the idea to only issue warnings about repository urls and not for every download, that would greatly reduce the amount of duplicated information.
I think it might be user friendly to inform when someone has configured their project so that it disables the security model of maven, but maybe a warning is to strong and it should rather be an info level message? It might not be obvious to everyone that it's actually the security of the transport layer that is a key feature, and if that is compromised it's game over. For example at my place of work some thought that it didn't matter with https since there was checksums of all the artifacts. I agree that not all repositories have https, but now that lets encrypt exists it's only a simple configuration tweak to add it, so I think the improved security of adding https outweights the inconvenience of it. //Alex 2016-10-08 11:34 GMT+02:00 Robert Scholte <rfscho...@apache.org>: > It should be possible to run any build without a warning. We cannot assume > that every http connection also has a https connection. Maven is only aware > of one URL and that's the one to Central. This has already been changed to > https. Other URL's are specified in the settings.xml, (direct) pom.xml and > dependency-poms. The first two are managed by the end-user, he has set these > values so he already should be aware of these values. > The dependency poms (and plugin poms) are harder to discover and to control. > For all cases having a repository manager is much easier to control > connections. > If there should be a warning, might be better to write an enforcer-rule for > it and apply it on your own projects. > > Robert > > > On Sat, 08 Oct 2016 00:49:36 +0200, Manfred Moser <manf...@simpligility.com> > wrote: > >> The aether code is currently absorbed into Maven so you just need to hang >> tight until thats done if you want to propose a code change. But its right >> here to the same team. >> >> And regarding the warning ... such a warning would have to be disabled by >> default otherwise it would litter the log for many existing builds causing >> all sorts of issues. And then I am not sure it makes much sense. >> >> But say you go with a warning you would not want to warn for each >> download but only for the first one to avoid excessive logging. So maybe >> just warn for each specific repository URL once. >> >> Manfred >> >> Alexander Kjäll wrote on 2016-10-07 15:42: >> >>> Thats good feedback, I'll investigate the aether code and propose the >>> same thing to them. >>> >>> I agree that some people might want to have their download unsecure, >>> that's why I think that a warning is an appropriate level of >>> notification regarding this. >>> >>> //Alex >>> >>> 2016-10-08 0:16 GMT+02:00 Michael Osipov <micha...@apache.org>: >>>> >>>> Am 2016-10-07 um 23:31 schrieb Alexander Kjäll: >>>>> >>>>> >>>>> Hi >>>>> >>>>> I would like to propose that maven issues a warning when an artifacts >>>>> gets downloaded over http instead of https. >>>>> >>>>> The current security model kind of relies on that noone MITM's the >>>>> download and replaces the artifact and checksums with something >>>>> malicious. That becomes impossible to guarantee when run over a >>>>> transport layer that lacks security. >>>>> >>>>> I have attached a very crude patch that implements this behaviour, but >>>>> I'm sure it needs to be reworked before it's ready to be merged. >>>> >>>> >>>> >>>> Basically, Aether should handle this, as you might plug other protocols >>>> to >>>> pull from: SFTP, FTPS, DAVS, etc. Additionally, if this happens in a >>>> company, maybe people are quite fine with unsecure only. >>>> >>>> To sum up: we should wait when Aether transforms to Maven Artifact >>>> Resolver. >>>> >>>> Michael >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>>> For additional commands, e-mail: dev-h...@maven.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> For additional commands, e-mail: dev-h...@maven.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
