New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jars from maven aren't pulled down over https #1604

Closed
mveytsman opened this Issue Jul 20, 2014 · 12 comments

Comments

4 participants
@mveytsman

mveytsman commented Jul 20, 2014

Here's the results of lein pprint for a fresh project:

:repositories
 [["central" {:snapshots false, :url "http://repo1.maven.org/maven2/"}]
  ["clojars" {:url "https://clojars.org/repo/"}]],

Is there a reason why we default to http for maven instead of https?

@technomancy

This comment has been minimized.

Owner

technomancy commented Jul 20, 2014

Last I checked, pulling from Central over https required some kind of "premium" plan and wasn't publicly available. Maybe this has changed?

@mveytsman

This comment has been minimized.

mveytsman commented Jul 20, 2014

Are you talking about this http://blog.sonatype.com/2012/10/now-available-ssl-connectivity-to-central/ ?

Setting up lein to always use SSL is important, if it's a matter of money I have no problem paying the $10 in lein's name.

@technomancy

This comment has been minimized.

Owner

technomancy commented Jul 21, 2014

From my reading of that article, the token they provide is a secret and may not be checked into a public source control system. So probably a good idea for everyone using Leiningen to do, but I think everyone would need their own token; we can't just change the defaults to use one.

@mveytsman

This comment has been minimized.

mveytsman commented Jul 21, 2014

I think you're right.

Can you keep this issue open for a bit? I want to look into this further.

@technomancy

This comment has been minimized.

Owner

technomancy commented Jul 21, 2014

Of course. I agree that the situation is less than ideal. Checking
signatures helps to a degree here, but it's awkward when working on
Leiningen itself because of the bootstrapping problem.

Opening #1608 which is related.

@technomancy

This comment has been minimized.

Owner

technomancy commented Jul 29, 2014

The plot thickens: making the $10 donation does not get you SSL access; it gets you an auth token which you can add to a Nexus repository manager, which you can then configure Leiningen to use. Because the auth token is sent using HTTP GET query parameters, Aether cannot be configured to use it directly as far as I can tell.

IMO this is unacceptable, and we should investigate alternatives.

@mveytsman

This comment has been minimized.

mveytsman commented Jul 29, 2014

I wrote a blog post about this: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

Hopefully we can get some resolution on this...

@retrogradeorbit

This comment has been minimized.

retrogradeorbit commented Jul 29, 2014

Bootstrapping a leiningen project from the default template pulls 4 files from central, and 2 files from clojars. Can we move the required packages to clojars, use https, and make access to maven require the addition of a repository url to use at your own risk? All of the extension packages I use come from clojars, but its kind of hard to keep secure if some of the base packages (eg. tools.nrepl-0.2.3) come from central over http.

@trptcolin

This comment has been minimized.

Collaborator

trptcolin commented Jul 29, 2014

@retrogradeorbit I was thinking something similar, but the problem is that all the official clojure and contrib releases are hosted on clojars, along with tons of other stuff from Java-land. This seems like it would be a massive breaking change for lein users.

On the clojure side, it seems like the clojure.core team would have to make the decision to start hosting on clojars for this to be viable. Since clojars doesn't have the support weight of Sonatype behind it, I'd guess it's probably going to be a tough sell, but we'd certainly solve the SSL problem.

I wonder if it'd be feasible to set up a mirror of Central served jars/poms over SSL, and somehow also did its mirroring over SSL? Even if the mirroring couldn't be SSL for some reason it'd at least reduce the number of places in the network that a MITM is easy.

@technomancy

This comment has been minimized.

Owner

technomancy commented Jul 29, 2014

Dropping Central without a replacement is completely off the table for the time being.

Moving libraries off Central doesn't help either; as long as Central is first in the :repositories list it will still be checked, and an attacker can just MITM that connection even though they can't touch Clojars.

If we have someone volunteering to set up and operate a public SSL mirror for the long term, that would be great, but that's a pretty huge commitment.

@mveytsman

This comment has been minimized.

mveytsman commented Aug 4, 2014

Looks like SSL support for Maven Central is live http://central.sonatype.org/articles/2014/Aug/03/https-support-launching-now/

@technomancy

This comment has been minimized.

Owner

technomancy commented Aug 4, 2014

Yeah, this is fixed as of 8d6cda1.

@technomancy technomancy closed this Aug 4, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment