New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS: Change default repositories to use HTTPS #1541
Comments
0.13.6 will use HTTPS by default for Maven Central (#1494). There's an ongoing effort to support HTTPS for other repositories repo.typesafe.com and repo.scala-sbt.org. |
Thanks, I missed that one. Is the launcher already using https as well? It seems that in https://github.com/rtyley/sbt/blob/c5704d03c1e0648bed999dbccd8b8f4191518a32/launch/src/main/scala/xsbt/boot/Update.scala#L317 it is still using the predefined URL in ivy for the |
Yes, it looks that way. I guess we need another change that'll read |
Of course, there's the technical issue which can be solved by someone providing a fix. However, there's also the overarching issue where the sbt team needs to decide to if and how to make sbt more secure and takes responsibility to make sure that it really is. It seems some part of the discussion has already taken place in the mentioned tickets. As we all know, the whole issue is not new at all, e.g. Redhat is collecting hashes of compromised jars since years (https://victi.ms/). Still, there's now a simple proof-of-concept (see the top link) exploit and also Sonatype's decision to change their long-standing SSL-policy shows rising awareness that something should be done about it in the near future. My wish would be that a process is started now where the sbt team acknowledges the issues, enumerates what needs to be done and aims for one of the next releases to provide some assurance that those issues are fixed by then so that the release notes can contain a claim with some confidence that sbt is now secure to the best of one's knowledge. As security issues are usually infinite it may be useful if it contained a list of known remaining attack vectors that still cannot be prevented (or that need attention of the user, like user defined repositories). I would propose at least this:
|
I don’t think there’s an alternative for java.net Maven 1 repository.
I don’t think there’s an alternative for java.net Maven 1 repository.
I'd like to limit the scope of this Github issue to just the first bullet point targeting the next sbt release 0.13.6.
For more broader solutions, we should discuss with the community on sbt-dev list on what sbt project should do. |
#1541. Use HTTPS for sbt plugin repository
👍 Thanks, Eugene, LGTM AFAICS. |
summary
original report
See http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ for the background.
This should now be easy for Maven central, not sure which typesafe repositories already support https.
There are already pending PRs (#1526, #1536) that change some defaults but the potential impact may warrant a more thorough check through all of sbt's code.
The text was updated successfully, but these errors were encountered: