Introducing Akka Cloud to Edge Continuum. Build once for the Cloud. Seamlessly deploy to the Edge - Read Blog

Lightbend to require HTTPS on repos starting August 5, 2020

Lightbend Team, Lightbend, Inc.

Starting August 5, 2020, Maven and Ivy repositories that Lightbend operates will no longer support HTTP. Users must connect via HTTPS, because normal HTTP is vulnerable to man-in-the-middle attacks.

In making this change, we will be in alignment with major providers such as Maven Central, which disabled HTTP access last year. The affected repositories are:


We are not going to redirect from HTTP to HTTPS because it perpetuates the vulnerability.

sbt uses HTTPS for Maven Central

In response to 2014 writeup by Max Veytsman, Sonatype added support for HTTPS for Maven Central, and sbt followed suit a month later by releasing sbt 0.13.6 in September 2014 that uses HTTPS to resolve artifacts from both Maven Central and Lightbend-operated repositories.

Additional resolvers

However Jonathan Leitschuh discovered in his 2019 writeup that the JVM ecosystem remains insecure because various build tools still support additional resolvers, and it's easy to write "HTTP" instead of "HTTPS", perhaps copied from some old documentation.

// Bad. Don't use HTTP
resolvers += "bintray-foo" at ""
// Good 
resolvers += Resolver.bintrayRepo("foo", "maven")

Responding to Jonathan's initiative, Sonatype, JFrog, and others have turned off their HTTP endpoints on Maven repositories. Joining the effort, sbt 1.3.0 started to display a deprecation warning when an additional resolver uses HTTP. Turning off the HTTP endpoints on our repositories is part of the initiative. Please review your build, and migrate to using HTTPS.

We would like to extend our thanks to John Leitschuh for his leadership and dedication to the ongoing effort towards securing open source.

Proxy users

In cases where HTTP is needed for in-house Nexus or Artifactory, you can opt-in using .withAllowInsecureProtocol(true).

If your organization is behind a proxy repository that uses one of the Lightbend repositories (for example that hosts all the sbt plugins), please ask your administrator to confirm that the proxy is set up for HTTPS.


The Total Economic Impact™
Of Lightbend Akka

  • 139% ROI
  • 50% to 75% faster time-to-market
  • 20x increase in developer throughput
  • <6 months Akka pays for itself