HTTPS Support Launching Now

by karlmdavis on 8/4/2014, 2:34 PM with 18 comments
  • by karlmdavis on 8/4/2014, 2:42 PM

    This is Sonatype's response to the earlier "How to take over the computer of any Java (or Clojure or Scala) developer" concerns and discussion [1]. I'm very relieved they've fixed the big problem there, as having so much infrastructure reliant on plain HTTP was a giant hack waiting to happen.

    [1] https://news.ycombinator.com/item?id=8099713

  • by needusername on 8/4/2014, 3:18 PM

    > extremely short turnaround time

    Come on, please. Sonatype had HTTPS intentionally only for Nexus/Artifactory/… users since at least 2007.

  • by jvdh on 8/4/2014, 6:27 PM

    Except that this does not really give you that much security. Maybe only in the transport, but certainly not verification of content.

    HTTPS (or SSL/TLS for that matter) only verifies the identity of the server the content is coming from. Since users can upload stuff to repositories on Sonatype, there is no verification of content whatsoever.

    A naive workaround of this is to use PGP signed content. This would work, if users actually verified the PGP signature through a third channel. Either using web of trust, or some other means of getting a verification that the PGP key actually belongs to the developer.

    Failing that, HTTPS is just snake-oil security here.

  • by kul_ on 8/4/2014, 2:57 PM

    Thanks guys for the great work!

  • by jbaruch_s on 8/4/2014, 2:45 PM
  • by erkose on 8/4/2014, 4:27 PM

    Public shaming works!