Community Support - Maven Central
  1. Community Support - Maven Central
  2. MVNCENTRAL-94

repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Component/s: None
    • Labels:
      None
    • Global Rank:
      13559

      Description

      I raised http://jira.codehaus.org/browse/MNG-5154 asking if HTTPS
      should be available and required to access repo1.maven.org. Benjamin
      Bentmann asked me to file the issue here instead.

      http://jira.codehaus.org/browse/MNG-2477 was raised 3 years ago, and
      it appears that only part of its goal has been achieved. Artifacts are
      routinely signed when deployed, indeed it is a requirement to publish
      on major Maven repos. But the clients don't check the signatures by
      default. Repository managers such as Nexus Professional are needed to
      enforce signature verification.

      As a stopgap measure, it would go a long way toward offering some
      level of reassurance that downloaded artifacts are authentic if the
      central repository would only deliver artifacts over HTTPS,
      redirecting HTTP requests to HTTPS with a 301/302 for backward
      compatibility. Right now, repo1.maven.org is not even available over
      HTTPS.

        Activity

        Hide
        Michael Osipov added a comment -

        Where is the benefit of this? It would just waste CPU cycles for the encryption. If your JARs are signed and can verify the integrity.

        Show
        Michael Osipov added a comment - Where is the benefit of this? It would just waste CPU cycles for the encryption. If your JARs are signed and can verify the integrity.
        Hide
        Eric Rannaud added a comment -

        As I pointed out above, and in some details at http://mail-archives.apache.org/mod_mbox/maven-dev/201108.mbox/%3CCA+zRj8WmgegmT4hLmVMf25CfewmqbS7YP_rLR2iUnvAO_FAqMQ@mail.gmail.com%3E, Maven is routinely used in ways that do not give the user any chance of verifying JAR signatures. Or even inform the user that there are signatures to verify on code that has just be downloaded and that is, yet, unauthenticated.

        An example is building Apache thrift. The "./configure && make install" sequence downloads artifacts from http://repo1.maven.org without any verification. It is not clear at all from the build commands that unauthenticated content is downloaded from the web and will be executed.

        If I miss the 1 line that says "Downloading from http://repo1.maven.org..." among thousands of output lines in the build, I'm screwed.

        For the sake of comparison, the RPM package manager Yum on Fedora can afford to have HTTP-only mirrors, because the command yum(1) will always attempt to verify signatures by default, and a user must explicitly bypass the check with an option to install unsigned packages.

        As Maven does not behave that way, it would really help if, at least, the downlink from the repo was secure. Otherwise, you're waiting for a disaster to happen.

        Is the repo1.maven.org under heavy load and cannot handle the overhead? The SSL/TLS overhead is generally not that high – unless you're already at capacity.

        Thanks.

        Show
        Eric Rannaud added a comment - As I pointed out above, and in some details at http://mail-archives.apache.org/mod_mbox/maven-dev/201108.mbox/%3CCA+zRj8WmgegmT4hLmVMf25CfewmqbS7YP_rLR2iUnvAO_FAqMQ@mail.gmail.com%3E , Maven is routinely used in ways that do not give the user any chance of verifying JAR signatures. Or even inform the user that there are signatures to verify on code that has just be downloaded and that is, yet, unauthenticated. An example is building Apache thrift. The "./configure && make install" sequence downloads artifacts from http://repo1.maven.org without any verification. It is not clear at all from the build commands that unauthenticated content is downloaded from the web and will be executed. If I miss the 1 line that says "Downloading from http://repo1.maven.org ..." among thousands of output lines in the build, I'm screwed. For the sake of comparison, the RPM package manager Yum on Fedora can afford to have HTTP-only mirrors, because the command yum(1) will always attempt to verify signatures by default, and a user must explicitly bypass the check with an option to install unsigned packages. As Maven does not behave that way, it would really help if, at least, the downlink from the repo was secure. Otherwise, you're waiting for a disaster to happen. Is the repo1.maven.org under heavy load and cannot handle the overhead? The SSL/TLS overhead is generally not that high – unless you're already at capacity. Thanks.

          People

          • Assignee:
            Juven Xu
            Reporter:
            Eric Rannaud
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Date of First Response: