Warning when artifacts are downloaded over an insecure channel

when run over a transport layer that lacks security. I have attached a very crude patch that implements this behaviour, but I'm sure it needs to be reworked before it's ready to be merged. Do people agree that it would be good to issue those warnings? best regards Alexander Kjäll diff --git

Re: Warning when artifacts are downloaded over an insecure channel

unique hostname that it downloads from. //Alex 2016-10-08 12:03 GMT+02:00 Alexander Kjäll <alexander.kj...@gmail.com>: > I liked the idea to only issue warnings about repository urls and not > for every download, that would greatly reduce the amount of duplicated > informati

Re: Warning when artifacts are downloaded over an insecure channel

Osipov <micha...@apache.org>: > Am 2016-10-07 um 23:31 schrieb Alexander Kjäll: >> >> Hi >> >> I would like to propose that maven issues a warning when an artifacts >> gets downloaded over http instead of https. >> >> The current security model

Re: Warning when artifacts are downloaded over an insecure channel

only for the first one to avoid excessive logging. So maybe >> just warn for each specific repository URL once. >> >> Manfred >> >> Alexander Kjäll wrote on 2016-10-07 15:42: >> >>> Thats good feedback, I'll investigate the aether code and pro

Re: Taking Security Seriously

it would be possible to simplify the verification of gpg signatures and make it be possible to automate it in a resonable manner. best regards Alexander Kjäll 2016-12-05 18:29 GMT+01:00 Hervé BOUTEMY <herve.bout...@free.fr>: > I fear the proposed change would not improve security

Re: Taking Security Seriously

understand that .md5 files isn't used to verify that the downloaded artifact isn't controlled by an attacker, but at least I use the .asc files for that. Do you mean that they also have some other purpose? best regards Alexander Kjäll On 05. des. 2016 23:10, Bernd Eckenfels wrote: Having artifact

Re: Taking Security Seriously

not really possible to fix this without changing the structure of the pom i didn't even bother to write a patch for it. If there is a chance that a fix for this problem would be included, then I would be happy to try to write a patch for it. best regards Alexander Kjäll On 05. des. 2016 08:23, Hervé

Re: Taking Security Seriously

Hi The attack scenario that I'm trying to guard against is the following: Stopping an attacker that manages to exploit the our nexus server from being able to run arbitrary code on all the build servers and developer machines in our organization. best regards Alexander Kjäll On 06. des