Around Monday or Tuesday, September 26–27th, 2016, we started to see occasional failures to retrieve sbt artifacts in our CI environment. At the time we suspected transient network issues either in the CI environment or our redirection proxy that services repo.lightbend.com and repo.sbt-scala.org.
By Wednesday we had observed similar failures in multiple CI environments including Jenkins hosted on AWS. At this point we realized that there was an incident at hand. Eugene Yokota opened GitHub issue sbt/sbt#2758 documenting the issue, tweeted an alert via @scala_sbt, and contacted JFrog (the company that operates Bintray).
During the early hours of Thursday, September 29th, Christopher Hunt identified the root cause to be Bintray occasionally redirecting the secure HTTPS requests to their CDN using non-secure HTTP. Because switching from HTTPS to HTTP could allow attacker interception, this is considered insecure. The redirect was correctly rejected by sbt, which uses Java's HttpURLConnection.
We reported this to JFrog and they promptly fixed the issue, around Thursday, September 29th 13:00 UTC (9:00 EDT).
At this time we believe the incident to be resolved. Thank you for your patience.
