[
https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17179181#comment-17179181
]
Michael Osipov commented on MNG-6673:
-------------------------------------
As with most improvement requests. Most people request, but no one contributes.
Nothing implied or officially communicated. No committer had the interest to
work on this. In fact, we deliver with Maven Central via HTTPS only. The rest
is up to the user. From your point of view, the C programming language should
be forbidden. If someone wants to work on it, fine. I'd be happy to reopen, but
don't expect us to do anything.
> Deprecate HTTP Download & Upload
> --------------------------------
>
> Key: MNG-6673
> URL: https://issues.apache.org/jira/browse/MNG-6673
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
> Reporter: Jonathan Leitschuh
> Priority: Major
> Labels: SECURITY, security
> Attachments: mitm_build.jpeg
>
>
> Some of the most popular Java projects in the JVM ecosystem are vulnerable to
> a MITM of their dependencies. This is something that build tools can help
> prevent.
> Starting in the next release of Maven, Maven should begin warning users about
> the use of HTTP to download/upload artifacts to/from artifact servers.
> I believe that Maven/Gradle/SBT should require users to opt-out of the
> security offered by using HTTPS to download/upload artifacts.
> Here's a list of projects that were found to be vulnerable to this:
> [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
>
> ----
> The full description of this industry-wide vulnerability can be found here:
> [Want to take over the Java ecosystem? All you need is a
> MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e]
> !mitm_build.jpeg!
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
