Elliotte Rusty Harold created MRESOLVER-52:
----------------------------------------------
Summary: https for artifact resolution
Key: MRESOLVER-52
URL: https://issues.apache.org/jira/browse/MRESOLVER-52
Project: Maven Resolver
Issue Type: Bug
Components: resolver
Affects Versions: Maven Artifact Resolver 1.1.1
Reporter: Elliotte Rusty Harold
Here's an exception I saw recently:
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not
transfer artifact com.google.auth:google-auth-library-credentials:pom:0.4.0
from/to central (http://repo1.maven.org/maven2/): repo1.maven.org: nodename nor
servname provided, or not known
The exception is probably a glitch in my network or DNS. Not resolver's fault
and no big deal. However the message surprised me. Why
*http*://repo1.maven.org/maven2/ and not *https*://repo1.maven.org/maven2/?
One of three things is likely happening here:
1. Resolver is really using http instead of https to transfer artifacts. This
is a major issue, and should be fixed.
2. It's using https to transfer, but is forming the URL in the error message by
string concatenation with "http", which is not critical but should still be
fixed.
3. It's relying on repo1 to redirect to https, which it seems to do; but
shouldn't be required since this leaves the connection vulnerable to MITM.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
