[
https://issues.apache.org/jira/browse/AURORA-620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14078736#comment-14078736
]
Jake Farrell commented on AURORA-620:
-------------------------------------
This has come up on a couple of the infra lists and is something that is
managed by maven central. They are working on a blog post in response to this
issue and from what I understand will be addressing all concerns.
As part of 0.6.0 if we plan to release any jar/war packages then they will be
deployed to repository.apache.org (https) which is picked up and mirrored to
maven central, not jcenter. I would say that this and AURORA-616 are extra
additions that are not needed. If this is truly a concerned then we can vendor
cache these libs in the repo and build a binary dist package which contains
all dependencies in addition to the source dist we currently make.
> Consider using JCenter over HTTPS instead of Maven Central
> ----------------------------------------------------------
>
> Key: AURORA-620
> URL: https://issues.apache.org/jira/browse/AURORA-620
> Project: Aurora
> Issue Type: Task
> Components: Build, Scheduler, Security
> Reporter: Kevin Sweeney
> Assignee: Kevin Sweeney
>
> Since there are tools in the wild to MITM Maven Central users, switch to
> JCenter over HTTPS.
> See
> http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
> for context.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
