[
https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov resolved MNG-6673.
---------------------------------
Resolution: Won't Fix
> Deprecate HTTP Download & Upload
> --------------------------------
>
> Key: MNG-6673
> URL: https://issues.apache.org/jira/browse/MNG-6673
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
> Reporter: Jonathan Leitschuh
> Priority: Major
> Labels: SECURITY, security
> Attachments: mitm_build.jpeg
>
>
> Some of the most popular Java projects in the JVM ecosystem are vulnerable to
> a MITM of their dependencies. This is something that build tools can help
> prevent.
> Starting in the next release of Maven, Maven should begin warning users about
> the use of HTTP to download/upload artifacts to/from artifact servers.
> I believe that Maven/Gradle/SBT should require users to opt-out of the
> security offered by using HTTPS to download/upload artifacts.
> Here's a list of projects that were found to be vulnerable to this:
> [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
>
> ----
> The full description of this industry-wide vulnerability can be found here:
> [Want to take over the Java ecosystem? All you need is a
> MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e]
> !mitm_build.jpeg!
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
