New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please don't use insecure repositories #265

Open
argv-minus-one opened this Issue Nov 25, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@argv-minus-one
Contributor

argv-minus-one commented Nov 25, 2017

As of 8130aca, the build and generated POM use external repositories that are accessed by plain HTTP, not HTTP+TLS (https scheme). This exposes everyone who uses or builds this project (including you!) to man-in-the-middle attacks while downloading dependencies for it, injecting malicious code that runs with the full privileges of one's user account.

Please remove or replace these repositories as soon as possible.

ndw added a commit that referenced this issue Mar 2, 2018

@ndw ndw closed this in 5ef6ea4 Mar 2, 2018

ndw added a commit that referenced this issue Mar 2, 2018

ndw added a commit that referenced this issue Mar 2, 2018

@ndw ndw reopened this Mar 2, 2018

@ndw

This comment has been minimized.

Owner

ndw commented Mar 2, 2018

@davidpriest

This comment has been minimized.

davidpriest commented Mar 3, 2018

For me, maven { url "https://maven.restlet.com" } works.

@ndw

This comment has been minimized.

Owner

ndw commented Mar 3, 2018

It works for me too, but Travis doesn't like it. They must be checking certificates more diligently.

  > Could not resolve org.restlet.jee:org.restlet:2.2.2.
     > Could not get resource 'https://maven.restlet.org/org/restlet/jee/org.restlet/2.2.2/org.restlet-2.2.2.pom'.
        > Could not GET 'https://maven.restlet.org/org/restlet/jee/org.restlet/2.2.2/org.restlet-2.2.2.pom'.
           > Host name 'maven.restlet.org' does not match the certificate subject provided by the peer (CN=restlet.com)

I guess rather than going back to an insecure repository I'll just put them in the project locally for the time being.

ndw added a commit that referenced this issue Mar 3, 2018

ndw added a commit that referenced this issue Mar 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment