/xmlcalabash1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please don't use insecure repositories #265

Open
argv-minus-one opened this Issue Nov 25, 2017 · 3 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@argv-minus-one @ndw @davidpriest
@argv-minus-one
Contributor

argv-minus-one commented Nov 25, 2017

As of 8130aca, the build and generated POM use external repositories that are accessed by plain HTTP, not HTTP+TLS (https scheme). This exposes everyone who uses or builds this project (including you!) to man-in-the-middle attacks while downloading dependencies for it, injecting malicious code that runs with the full privileges of one's user account.

Please remove or replace these repositories as soon as possible.

ndw added a commit that referenced this issue Mar 2, 2018

@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
a433d86

@ndw ndw closed this in 5ef6ea4 Mar 2, 2018

ndw added a commit that referenced this issue Mar 2, 2018

@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
182879f

ndw added a commit that referenced this issue Mar 2, 2018

@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
539a850

@ndw ndw reopened this Mar 2, 2018

@ndw

This comment has been minimized.

Sign in to view
Owner

ndw commented Mar 2, 2018
edited

Fails because maven.restlet.org has a bad cert. :-(

See https://travis-ci.org/ndw/xmlcalabash1/builds/348340392
and https://twitter.com/ndw/status/969634703656529925
@davidpriest

This comment has been minimized.

Sign in to view

davidpriest commented Mar 3, 2018

For me, maven { url "https://maven.restlet.com" } works.
@ndw

This comment has been minimized.

Sign in to view
Owner

ndw commented Mar 3, 2018

It works for me too, but Travis doesn't like it. They must be checking certificates more diligently.

  > Could not resolve org.restlet.jee:org.restlet:2.2.2.
     > Could not get resource 'https://maven.restlet.org/org/restlet/jee/org.restlet/2.2.2/org.restlet-2.2.2.pom'.
        > Could not GET 'https://maven.restlet.org/org/restlet/jee/org.restlet/2.2.2/org.restlet-2.2.2.pom'.
           > Host name 'maven.restlet.org' does not match the certificate subject provided by the peer (CN=restlet.com)

I guess rather than going back to an insecure repository I'll just put them in the project locally for the time being.

ndw added a commit that referenced this issue Mar 3, 2018

@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
7861b77

ndw added a commit that referenced this issue Mar 3, 2018

@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
8fc332c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment