-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] Download mechanism compromiseable. #55
Comments
I guess it could be done, not sure how much effort. Could you prototype it? |
Re proxying, it's built-in: Re local mirror, we could add an override (cmd line or property, downloadUrl or something) Would that work for your environment? |
Yes, that would also work.
By specifying the artifact id (group, artifact and version), it will use the standard maven mechanisms. The documentation doesn't say this explicitly. a direct download should be the VERY last resort, especially via https. Why use a proxy if you already have a mirror (which in return has a proxy configured)? |
Well, part of the question was about proxy. I guess download URL override could be an enhancement Note that |
True… it may be an optional dependency, but I always find If you make the URL configurable, this would already be helpful. Perhaps a switch to switch direct downloading on and off (thus making the last step optional and fail fast). |
@bmhm, are you using maven mirror or proxy? settings.xml would be useful Could you try building this branch And run Thanks |
Closing, see #57 |
Hi,
for one, your download mechanism doesn't use maven mechanisms. This means: No https, no checking of checksums or digital signatures. After download, the file could have been altered before execution. You don't do any checking, as far as I can tell.
On the other hand I'd like to be able to use my local proxying / mirroring repository.
With a hardcoded URL this is just not possible:
https://github.com/os72/protoc-jar/blob/master/src/main/java/com/github/os72/protocjar/Protoc.java#L271
I think it would be a wise idea to use the maven API to download artifacts. Can this be done?
The text was updated successfully, but these errors were encountered: