Jars from maven aren't pulled down over https

[mveytsman]

Here's the results of lein pprint for a fresh project:

:repositories
 [["central" {:snapshots false, :url "http://repo1.maven.org/maven2/"}]
  ["clojars" {:url "https://clojars.org/repo/"}]],

Is there a reason why we default to http for maven instead of https?

[technomancy]

Last I checked, pulling from Central over https required some kind of "premium" plan and wasn't publicly available. Maybe this has changed?

[mveytsman]

Are you talking about this http://blog.sonatype.com/2012/10/now-available-ssl-connectivity-to-central/ ?

Setting up lein to always use SSL is important, if it's a matter of money I have no problem paying the $10 in lein's name.

[technomancy]

From my reading of that article, the token they provide is a secret and may not be checked into a public source control system. So probably a good idea for everyone using Leiningen to do, but I think everyone would need their own token; we can't just change the defaults to use one.

[mveytsman]

I think you're right.

Can you keep this issue open for a bit? I want to look into this further.

[technomancy]

Of course. I agree that the situation is less than ideal. Checking
signatures helps to a degree here, but it's awkward when working on
Leiningen itself because of the bootstrapping problem.

Opening #1608 which is related.

[technomancy]

The plot thickens: making the $10 donation does not get you SSL access; it gets you an auth token which you can add to a Nexus repository manager, which you can then configure Leiningen to use. Because the auth token is sent using HTTP GET query parameters, Aether cannot be configured to use it directly as far as I can tell.

IMO this is unacceptable, and we should investigate alternatives.

[mveytsman]

I wrote a blog post about this: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

Hopefully we can get some resolution on this...

[retrogradeorbit]

Bootstrapping a leiningen project from the default template pulls 4 files from central, and 2 files from clojars. Can we move the required packages to clojars, use https, and make access to maven require the addition of a repository url to use at your own risk? All of the extension packages I use come from clojars, but its kind of hard to keep secure if some of the base packages (eg. tools.nrepl-0.2.3) come from central over http.

[trptcolin]

@retrogradeorbit I was thinking something similar, but the problem is that all the official clojure and contrib releases are hosted on clojars, along with tons of other stuff from Java-land. This seems like it would be a massive breaking change for lein users.

On the clojure side, it seems like the clojure.core team would have to make the decision to start hosting on clojars for this to be viable. Since clojars doesn't have the support weight of Sonatype behind it, I'd guess it's probably going to be a tough sell, but we'd certainly solve the SSL problem.

I wonder if it'd be feasible to set up a mirror of Central served jars/poms over SSL, and somehow also did its mirroring over SSL? Even if the mirroring couldn't be SSL for some reason it'd at least reduce the number of places in the network that a MITM is easy.

[technomancy]

Dropping Central without a replacement is completely off the table for the time being.

Moving libraries off Central doesn't help either; as long as Central is first in the :repositories list it will still be checked, and an attacker can just MITM that connection even though they can't touch Clojars.

If we have someone volunteering to set up and operate a public SSL mirror for the long term, that would be great, but that's a pretty huge commitment.

[mveytsman]

Looks like SSL support for Maven Central is live http://central.sonatype.org/articles/2014/Aug/03/https-support-launching-now/

[technomancy]

Yeah, this is fixed as of 8d6cda1.