Hi all, Recently in the news there has been a lot of controversy regarding Maven Central's lack of HTTPS support (without a donation for an access key which isn't redistributable, see [1], [2], [3] for context). While Sonatype plans to deploy HTTPS for all fix it there is an exploit tool in the wild. JCenter is an alternate Maven Central mirror that contains the dependencies we currently get from Maven Central. It allows free HTTPS access.
I propose we immediately accept my patch [4] to switch to JCenter over HTTPS, buying us an immediate mitigation to the exploit tool in the wild. Longer-term we can switch to checksum-pinning our dependencies [5], which will allow us to use any Maven mirror as long as we trust our git origin servers and committers. Though it wasn't called out in the press, our Python dependencies are probably vulnerable to a similar issue and I've filed an issue [6] to investigate checksum-pinning there too. Please discuss, and if you agree please give a shipit to my review. Thanks, Kevin [1] http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ [2] http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/#.U9kVOnVdXmE [3] https://twitter.com/bintray/status/494129921363824640 [4] https://reviews.apache.org/r/24063/ [5] https://issues.apache.org/jira/browse/AURORA-616 [6] https://issues.apache.org/jira/browse/AURORA-618
