maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <>
Subject [jira] [Commented] (MNG-6673) Deprecate HTTP Download & Upload
Date Fri, 26 Jul 2019 06:20:00 GMT


Michael Osipov commented on MNG-6673:

This is not a blocker, no need to spread FUD. I bet no one will work on this this year.

> Deprecate HTTP Download & Upload
> --------------------------------
>                 Key: MNG-6673
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: Deployment
>            Reporter: Jonathan Leitschuh
>            Priority: Major
>              Labels: SECURITY, security
>         Attachments: mitm_build.jpeg
> Some of the most popular Java projects in the JVM ecosystem are vulnerable to a MITM
of their dependencies. This is something that build tools can help prevent.
> Starting in the next release of Maven, Maven should begin warning users about the use
of HTTP to download/upload artifacts to/from artifact servers.
> I believe that Maven/Gradle/SBT should require users to opt-out of the security offered
by using HTTPS to download/upload artifacts.
> Here's a list of projects that were found to be vulnerable to this:
> []
> ----
> The full description of this industry-wide vulnerability can be found here:
> [Want to take over the Java ecosystem? All you need is a MITM!|]
>  !mitm_build.jpeg! 

This message was sent by Atlassian JIRA

View raw message