On Wed, Jul 30, 2014 at 9:44 AM, Jake Farrell <jfarr...@apache.org> wrote:
> +0 > > Aurora-620: Is this really a rampant issue causing jars to be widely > compromised, great blog post, but any documentation of this exploit > actually occurring. To me this seems like additions that are not needed > especially since maven central is going to ssl in the near future. > > Aurora-616: The gradle witness plugin will test against the listed > dependencies in our build.gradle but it does not verify any sub > dependencies. It would be better for us to vendor cache all of our > dependencies if we are really worried about this. > > It will verify all transitive dependencies: https://github.com/WhisperSystems/gradle-witness/blob/master/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy#L50-L61 That said I'd be in favor of a vendor cache if we can store it somewhere other than git. > -Jake > > > On Wed, Jul 30, 2014 at 12:10 PM, Kevin Sweeney <kevi...@apache.org> > wrote: > > > Hi all, > > > > Recently in the news there has been a lot of controversy regarding Maven > > Central's lack of HTTPS support (without a donation for an access key > which > > isn't redistributable, see [1], [2], [3] for context). While Sonatype > plans > > to deploy HTTPS for all fix it there is an exploit tool in the wild. > > JCenter is an alternate Maven Central mirror that contains the > dependencies > > we currently get from Maven Central. It allows free HTTPS access. > > > > I propose we immediately accept my patch [4] to switch to JCenter over > > HTTPS, buying us an immediate mitigation to the exploit tool in the wild. > > Longer-term we can switch to checksum-pinning our dependencies [5], which > > will allow us to use any Maven mirror as long as we trust our git origin > > servers and committers. > > > > Though it wasn't called out in the press, our Python dependencies are > > probably vulnerable to a similar issue and I've filed an issue [6] to > > investigate checksum-pinning there too. > > > > Please discuss, and if you agree please give a shipit to my review. > > > > Thanks, > > Kevin > > > > [1] > > > > > http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ > > [2] > > > http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/#.U9kVOnVdXmE > > [3] https://twitter.com/bintray/status/494129921363824640 > > [4] https://reviews.apache.org/r/24063/ > > [5] https://issues.apache.org/jira/browse/AURORA-616 > > [6] https://issues.apache.org/jira/browse/AURORA-618 > > >
