when run over a
transport layer that lacks security.
I have attached a very crude patch that implements this behaviour, but
I'm sure it needs to be reworked before it's ready to be merged.
Do people agree that it would be good to issue those warnings?
best regards
Alexander Kjäll
diff --git
unique hostname that it downloads from.
//Alex
2016-10-08 12:03 GMT+02:00 Alexander Kjäll <alexander.kj...@gmail.com>:
> I liked the idea to only issue warnings about repository urls and not
> for every download, that would greatly reduce the amount of duplicated
> informati
Osipov <micha...@apache.org>:
> Am 2016-10-07 um 23:31 schrieb Alexander Kjäll:
>>
>> Hi
>>
>> I would like to propose that maven issues a warning when an artifacts
>> gets downloaded over http instead of https.
>>
>> The current security model
only for the first one to avoid excessive logging. So maybe
>> just warn for each specific repository URL once.
>>
>> Manfred
>>
>> Alexander Kjäll wrote on 2016-10-07 15:42:
>>
>>> Thats good feedback, I'll investigate the aether code and pro
it would be possible to simplify the verification of gpg
signatures and make it be possible to automate it in a resonable
manner.
best regards
Alexander Kjäll
2016-12-05 18:29 GMT+01:00 Hervé BOUTEMY <herve.bout...@free.fr>:
> I fear the proposed change would not improve security
understand that .md5 files isn't used to verify that the downloaded
artifact isn't controlled by an attacker, but at least I use the .asc
files for that. Do you mean that they also have some other purpose?
best regards
Alexander Kjäll
On 05. des. 2016 23:10, Bernd Eckenfels wrote:
Having artifact
not really possible to fix this without changing the structure of the
pom i didn't even bother to write a patch for it.
If there is a chance that a fix for this problem would be included, then
I would be happy to try to write a patch for it.
best regards
Alexander Kjäll
On 05. des. 2016 08:23, Hervé
Hi
The attack scenario that I'm trying to guard against is the following:
Stopping an attacker that manages to exploit the our nexus server from
being able to run arbitrary code on all the build servers and developer
machines in our organization.
best regards
Alexander Kjäll
On 06. des