Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maven configuration may let artifacts that lightblue depends can be changed due man in the middle attack #106

Closed
luan-cestari opened this issue Aug 15, 2014 · 8 comments

Comments

@luan-cestari luan-cestari added this to the 1.0.0.GA milestone Aug 15, 2014

@jewzaam

This comment has been minimized.

Copy link
Member

commented Aug 15, 2014

A few notes:

  • by default, maven central uses HTTP
  • overriding the default is possible but seems to require updated settings.xml

I tried these and it didn't use HTTPS:

  • create 'central' repository and pluginRepository entries in root pom with HTTPS
  • create 'central' profile with HTTPS overrides and exeucte with -P on command line and by setting activeByDefault in the profile

But, following steps on http://central.sonatype.org/pages/consumers.html#apache-maven did work. I don't like having to setup a settings.xml but looks like no other way to work around for now.

Any other options I'm missing?

@jewzaam

This comment has been minimized.

Copy link
Member

commented Aug 15, 2014

Added a settings.xml in d22ae9c

Can be used from mvn cli, for example: mvn clean install -s ./settings.xml

Or can install to ~/.m2/settings.xml and not have to do that.

  • Update travis-ci configs to use settings.xml
  • Update internal builds to use settings.xml
  • Update developer documentation to recommend installation of settings.xml

@jewzaam jewzaam modified the milestones: 1.0.0.GA, RC1 Aug 15, 2014

@jewzaam jewzaam added the in progress label Aug 15, 2014

@jewzaam jewzaam self-assigned this Aug 15, 2014

@jewzaam

This comment has been minimized.

Copy link
Member

commented Aug 15, 2014

For travis-ci can do a before_install section to cp the settings.xml to ~/.m2 and it works! Don't have to worry about overriding default steps to include -s ./settings.xml

@luan-cestari

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 15, 2014

I thought we could overload the central repositories (nd others) in the pom.xml file (so it would self container, which it would not imply in additional steps for travis , and devs, etc)

@jewzaam

This comment has been minimized.

Copy link
Member

commented Aug 15, 2014

@jewzaam

This comment has been minimized.

Copy link
Member

commented Aug 15, 2014

Regarding override in pom.xml it didn't work. I set it in several different ways as noted and it didn't actually use http. I suspect it's because the repo is defined in a root pom. I didn't find documentation on how repos are resolved but from what I saw I suspect it will not allow override of a repo. Putting it in setttings.xml defines the repo BEFORE the pom is process, therefore meaning the pom cannot set it any more. But this is a guess..

@luan-cestari

This comment has been minimized.

Copy link
Collaborator Author

commented Aug 15, 2014

Great Job =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.