[
https://issues.apache.org/jira/browse/AURORA-620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079391#comment-14079391
]
Kevin Sweeney commented on AURORA-620:
--------------------------------------
Why wait for Sonatype to deploy a new service now given that there's a patch
available for a more secure method right now that will improve developer
security? Longer-term checksum-pinning our dependencies with gradle-witness and
peep buys us more leverage against these type of MITM attacks (for as long as
jar+wheel signing isn't a common thing).
> Consider using JCenter over HTTPS instead of Maven Central
> ----------------------------------------------------------
>
> Key: AURORA-620
> URL: https://issues.apache.org/jira/browse/AURORA-620
> Project: Aurora
> Issue Type: Task
> Components: Build, Scheduler, Security
> Reporter: Kevin Sweeney
> Assignee: Kevin Sweeney
>
> Since there are tools in the wild to MITM Maven Central users, switch to
> JCenter over HTTPS.
> See
> http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
> for context.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
