Hi, I raised http://jira.codehaus.org/browse/MNG-5154 asking if HTTPS should be available and required to access repo1.maven.org. It was closed without comments, maybe because this is not a bug with Maven per se.
http://jira.codehaus.org/browse/MNG-2477 was raised 3 years ago, and it appears that only part of its goal has been achieved. Artifacts are routinely signed when deployed, indeed it is a requirement to publish on major Maven repos. However, as far as I can tell, if I'm a conscientious developer building Apache Thrift, say, on a modern distro: wget http://mirror.csclub.uwaterloo.ca/apache//thrift/0.6.1/thrift-0.6.1.tar.gz wget http://www.apache.org/dist/thrift/0.6.1/thrift-0.6.1.tar.gz.asc gpg --verify thrift-0.6.1.tar.gz.asc ./configure && make ... mvn.ant.tasks.download: [get] Getting: http://repo1.maven.org/maven2/org/apache/maven/maven-ant-tasks/2.1.3/maven-ant-tasks-2.1.3.jar [get] To: /home/e/third/thrift/lib/java/build/tools/maven-ant-tasks-2.1.3.jar mvn.init: [artifact:dependencies] [WARNING] Overriding profile: 'maven-ant-tasks-repo-profile' (source: pom) with new instance from source: pom [artifact:dependencies] Downloading: org/slf4j/slf4j-api/1.5.8/slf4j-api-1.5.8.pom from repository central at http://repo1.maven.org/maven2 [artifact:dependencies] Downloading: org/slf4j/slf4j-parent/1.5.8/slf4j-parent-1.5.8.pom from repository central at http://repo1.maven.org/maven2 [artifact:dependencies] Downloading: org/slf4j/slf4j-log4j12/1.5.8/slf4j-log4j12-1.5.8.pom from repository central at http://repo1.maven.org/maven2 ... I would have thought that I had done the right thing by verifying the signature on thrift, that I was likely running official code. But without any warning, I just downloaded a bunch of unauthenticated JARs, and the build will happily execute their contents without any further validation. I don't even get a chance to retrieve the signatures that *are* on the server and check them by hand. >From what I can understand, the only way to ensure all artifact signatures are checked when using an ant rule such as mvn.ant.tasks.download is to already be aware of this gotcha and to install and configure a local repository manager such as Nexus Professional (is that available in the OSS version?), making sure that I have some kind of proxy set up to intercepts the connection attempt to repo1.maven.org, and then I can build Thrift. In other words, if I'm a little oblivious to how Maven approaches security, and artifacts integrity, I'm screwed. This is not really a problem with Thrift per se. Any other software using Maven rules to retrieve dependencies and then relying on these for running tests, say, as part of a build will put their users at risk. MNG-2477 describes an architecture that would be secure by default, but my understanding is that this is not yet available. As a stopgap measure, it would go a long way toward offering some level of reassurance that downloaded artifacts are authentic if the central repository would only deliver artifacts over HTTPS, redirecting HTTP requests to HTTPS with a 301/302 for backward compatibility. Right now, repo1.maven.org is not even available over HTTPS. Thanks, Eric. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
