Starting August 5, 2020, Maven and Ivy repositories that Lightbend operates will no longer support HTTP. Users must connect via HTTPS, because normal HTTP is vulnerable to man-in-the-middle attacks.

In making this change, we will be in alignment with major providers such as Maven Central, which disabled HTTP access last year. The affected repositories are:

  1. https://repo.scala-sbt.org/
  2. https://repo.lightbend.com/
  3. https://repo.typesafe.com/

We are not going to redirect from HTTP to HTTPS because it perpetuates the vulnerability.

sbt uses HTTPS for Maven Central

In response to 2014 writeup by Max Veytsman, Sonatype added support for HTTPS for Maven Central, and sbt followed suit a month later by releasing sbt 0.13.6 in September 2014 that uses HTTPS to resolve artifacts from both Maven Central and Lightbend-operated repositories.

Additional resolvers

However Jonathan Leitschuh discovered in his 2019 writeup that the JVM ecosystem remains insecure because various build tools still support additional resolvers, and it's easy to write "HTTP" instead of "HTTPS", perhaps copied from some old documentation.


// Bad. Don't use HTTP
resolvers += "bintray-foo" at "http://dl.bintray.com/foo/maven"
// Good 
resolvers += Resolver.bintrayRepo("foo", "maven")

Responding to Jonathan's initiative, Sonatype, JFrog, and others have turned off their HTTP endpoints on Maven repositories. Joining the effort, sbt 1.3.0 started to display a deprecation warning when an additional resolver uses HTTP. Turning off the HTTP endpoints on our repositories is part of the initiative. Please review your build, and migrate to using HTTPS.

We would like to extend our thanks to John Leitschuh for his leadership and dedication to the ongoing effort towards securing open source.

Proxy users

In cases where HTTP is needed for in-house Nexus or Artifactory, you can opt-in using .withAllowInsecureProtocol(true).

If your organization is behind a proxy repository that uses one of the Lightbend repositories (for example https://repo.scala-sbt.org/ that hosts all the sbt plugins), please ask your administrator to confirm that the proxy is set up for HTTPS.

 

Share



Comments


View All Posts or Filter By Tag


Questions?