Skip to content

/ xmlcalabash1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please don't use insecure repositories #265

Closed
argv-minus-one opened this issue Nov 25, 2017 · 4 comments
Closed

Please don't use insecure repositories #265

argv-minus-one opened this issue Nov 25, 2017 · 4 comments

Comments

@argv-minus-one
Copy link
Contributor

@argv-minus-one argv-minus-one commented Nov 25, 2017

As of 8130aca, the build and generated POM use external repositories that are accessed by plain HTTP, not HTTP+TLS (https scheme). This exposes everyone who uses or builds this project (including you!) to man-in-the-middle attacks while downloading dependencies for it, injecting malicious code that runs with the full privileges of one's user account.

Please remove or replace these repositories as soon as possible.
ndw added a commit that referenced this issue Mar 2, 2018
@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
Loading status checks…
a433d86
@ndw ndw closed this in 5ef6ea4 Mar 2, 2018
ndw added a commit that referenced this issue Mar 2, 2018
@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
182879f
ndw added a commit that referenced this issue Mar 2, 2018
@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
539a850
@ndw ndw reopened this Mar 2, 2018
@ndw
Copy link
Owner

@ndw ndw commented Mar 2, 2018
edited

Fails because maven.restlet.org has a bad cert. :-(

See https://travis-ci.org/ndw/xmlcalabash1/builds/348340392
and https://twitter.com/ndw/status/969634703656529925
@davidpriest
Copy link

@davidpriest davidpriest commented Mar 3, 2018

For me, maven { url "https://maven.restlet.com" } works.
@ndw
Copy link
Owner

@ndw ndw commented Mar 3, 2018

It works for me too, but Travis doesn't like it. They must be checking certificates more diligently.

  > Could not resolve org.restlet.jee:org.restlet:2.2.2.
     > Could not get resource 'https://maven.restlet.org/org/restlet/jee/org.restlet/2.2.2/org.restlet-2.2.2.pom'.
        > Could not GET 'https://maven.restlet.org/org/restlet/jee/org.restlet/2.2.2/org.restlet-2.2.2.pom'.
           > Host name 'maven.restlet.org' does not match the certificate subject provided by the peer (CN=restlet.com)

I guess rather than going back to an insecure repository I'll just put them in the project locally for the time being.
ndw added a commit that referenced this issue Mar 3, 2018
@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
7861b77
ndw added a commit that referenced this issue Mar 3, 2018
@ndw
Close #265 and fix a fileupload dependency
Unverified
The usage flags for the key that signed this don’t allow signing.
GPG key ID: 3B296D51CC185A3B Learn about signing commits
8fc332c
@ndw
Copy link
Owner

@ndw ndw commented Mar 6, 2019

This appears to be resolved. I've got an https: link to restlet.org and it's working.
@ndw ndw closed this Mar 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@ndw @davidpriest @argv-minus-one