oss-sec mailing list archives
Re: CVE request: Maven downloads JARs via HTTP
From: gremlin () gremlin ru
Date: Mon, 2 Mar 2015 16:25:54 +0300
On 2015-03-02 14:07:00 +0100, Martin Prpic wrote:
"Maven Central can now be accessed via HTTPS. I think the default configuration should be switched to use that, rather than the current unsecured HTTP transport."
Does it use any sort of package signing and signature verification? -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Current thread:
- CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP Simon McVittie (Mar 02)
- Re: validation on update gremlin (Mar 03)
- Re: validation on update Kurt Seifried (Mar 03)
- Re: CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)