Checksum pinning allows us to mitigate the security issues without needing
to run expensive mirroring infrastructure ourselves
On Wed, Jul 30, 2014 at 10:18 AM, Jake Farrell wrote:
> To me that brings up the question then why use any remote dist for
> development at all if we are really concern
To me that brings up the question then why use any remote dist for
development at all if we are really concerned about this being an issue?
Vendor everything (py, jar, js) in our 3rdparty dir and then we guarantee
that each dependency we use has history on why it was added and who added
it (dont th
On Wed, Jul 30, 2014 at 9:44 AM, Jake Farrell wrote:
> +0
>
> Aurora-620: Is this really a rampant issue causing jars to be widely
> compromised, great blog post, but any documentation of this exploit
> actually occurring. To me this seems like additions that are not needed
> especially since mav
On Wed, Jul 30, 2014 at 9:44 AM, Jake Farrell wrote:
> +0
>
> Aurora-620: Is this really a rampant issue causing jars to be widely
> compromised, great blog post, but any documentation of this exploit
> actually occurring. To me this seems like additions that are not needed
> especially since mav
FWIW the filing of the ticket was reactionary only to the availability of a
solution, now of the scare (i've been twitchy about this for a long time).
> Is this really a rampant issue causing jars to be widely compromised
Why wait for a publicized attack? Since we know this presents a risk, w
+0
Aurora-620: Is this really a rampant issue causing jars to be widely
compromised, great blog post, but any documentation of this exploit
actually occurring. To me this seems like additions that are not needed
especially since maven central is going to ssl in the near future.
Aurora-616: The gr
+1
On Wed, Jul 30, 2014 at 12:10 PM, Kevin Sweeney wrote:
> Hi all,
>
> Recently in the news there has been a lot of controversy regarding Maven
> Central's lack of HTTPS support (without a donation for an access key which
> isn't redistributable, see [1], [2], [3] for context). While Sonatype
