I raised http://jira.codehaus.org/browse/MNG-5154 asking if HTTPS
should be available and required to access repo1.maven.org. Benjamin
Bentmann asked me to file the issue here instead.
http://jira.codehaus.org/browse/MNG-2477 was raised 3 years ago, and
it appears that only part of its goal has been achieved. Artifacts are
routinely signed when deployed, indeed it is a requirement to publish
on major Maven repos. But the clients don't check the signatures by
default. Repository managers such as Nexus Professional are needed to
enforce signature verification.
As a stopgap measure, it would go a long way toward offering some
level of reassurance that downloaded artifacts are authentic if the
central repository would only deliver artifacts over HTTPS,
redirecting HTTP requests to HTTPS with a 301/302 for backward
compatibility. Right now, repo1.maven.org is not even available over