Community Support - Maven Central
  1. Community Support - Maven Central
  2. MVNCENTRAL-94

repo1.maven.org should support HTTPS and HTTP requests should be redirected to HTTPS

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Component/s: None
    • Labels:
      None
    • Global Rank:
      13559

      Description

      I raised http://jira.codehaus.org/browse/MNG-5154 asking if HTTPS
      should be available and required to access repo1.maven.org. Benjamin
      Bentmann asked me to file the issue here instead.

      http://jira.codehaus.org/browse/MNG-2477 was raised 3 years ago, and
      it appears that only part of its goal has been achieved. Artifacts are
      routinely signed when deployed, indeed it is a requirement to publish
      on major Maven repos. But the clients don't check the signatures by
      default. Repository managers such as Nexus Professional are needed to
      enforce signature verification.

      As a stopgap measure, it would go a long way toward offering some
      level of reassurance that downloaded artifacts are authentic if the
      central repository would only deliver artifacts over HTTPS,
      redirecting HTTP requests to HTTPS with a 301/302 for backward
      compatibility. Right now, repo1.maven.org is not even available over
      HTTPS.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Juven Xu
            Reporter:
            Eric Rannaud
            Last Updated By:
            Eric Rannaud
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Date of First Response: