[MNG-6673] Deprecate HTTP Download & Upload - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: Deployment
Labels:
- SECURITY
- security

Description

Some of the most popular Java projects in the JVM ecosystem are vulnerable to a MITM of their dependencies. This is something that build tools can help prevent.

Starting in the next release of Maven, Maven should begin warning users about the use of HTTP to download/upload artifacts to/from artifact servers.

I believe that Maven/Gradle/SBT should require users to opt-out of the security offered by using HTTPS to download/upload artifacts.

Here's a list of projects that were found to be vulnerable to this:

https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing

The full description of this industry-wide vulnerability can be found here:

Want to take over the Java ecosystem? All you need is a MITM!

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

mitm_build.jpeg
10/Jun/19 20:38
25 kB
Jonathan Leitschuh

Activity

People

Assignee:: Unassigned

Reporter:: Jonathan Leitschuh

Votes:: 3 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 10/Jun/19 13:39

Updated:: 23/Dec/20 09:00

Resolved:: 17/Aug/20 19:01