Uploaded image for project: 'Community Support - Maven Central'
  1. Community Support - Maven Central
  2. MVNCENTRAL-94

repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: None
    • Labels:
      None

      Description

      I raised http://jira.codehaus.org/browse/MNG-5154 asking if HTTPS
      should be available and required to access repo1.maven.org. Benjamin
      Bentmann asked me to file the issue here instead.

      http://jira.codehaus.org/browse/MNG-2477 was raised 3 years ago, and
      it appears that only part of its goal has been achieved. Artifacts are
      routinely signed when deployed, indeed it is a requirement to publish
      on major Maven repos. But the clients don't check the signatures by
      default. Repository managers such as Nexus Professional are needed to
      enforce signature verification.

      As a stopgap measure, it would go a long way toward offering some
      level of reassurance that downloaded artifacts are authentic if the
      central repository would only deliver artifacts over HTTPS,
      redirecting HTTP requests to HTTPS with a 301/302 for backward
      compatibility. Right now, repo1.maven.org is not even available over
      HTTPS.

        Attachments

          Activity

            People

            • Assignee:
              juven Juven Xu
              Reporter:
              eric.rannaud Eric Rannaud
              Last Updated By:
              Eric Rannaud
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Date of First Response: