search

FasterXML / java-classmate

Library for introspecting generic type information of types, member/static methods, fields. Especially useful for POJO/Bean introspection.
http://fasterxml.com
Apache License 2.0
258 stars 42 forks source link

Change urls in pom to use https #47

Closed ST-DDT closed 5 years ago

ST-DDT commented 5 years ago

https://github.com/FasterXML/java-classmate/blob/master/pom.xml#L15

cowtowncoder commented 5 years ago

Do you have a link to an article outlining reasoning, or perhaps recommendations for Maven project maintainers? I assume this is due to security concerns, but not sure what is the specific reasoning -- does Maven or some other tool directly resolve URL for anything but information purposes?

ST-DDT commented 5 years ago

Do you have a link to an article outlining reasoning, or perhaps recommendations for Maven project maintainers? I assume this is due to security concerns, but not sure what is the specific reasoning

Unfortunately I couldn't find a link that recommends either (at least for Maven). I mostly found questions from users trying to avoid the other.

I (and probably a huge part of the internet) recommend https though, and some famous browsers start nagging about http. (I guess I'm not saying anything new for you here)

Well, it feels so wrong to paste links to "should I use https?" to a developer of such an important/good library, so I only paste this (funny but true) one:

does Maven or some other tool directly resolve URL for anything but information purposes?

AFAICT Maven doesn't use the project.url or scm.url for anything, but the generated documentation. You can test this with mvn site -> dependencies . It will then list all libraries with all their links (project url, license urls...)

gjoseph commented 4 years ago

@cowtowncoder would you be able to cut a release with this change? It feels unnecessarily tedious, but tools like SourceClear are reporting vulns against this, and I'd rather bump a dependency in my projects than argue about why this vuln is irrelevant. Cheers!

cowtowncoder commented 4 years ago

@gjoseph Jesus Fucking Christ security tools are stupid. Can you send me a link or something? I don't really want to do a release for cosmetic change with nothing of use... but I am curious now what kind of godforsaken pile of crap flags a package for such thing. :-(

gjoseph commented 4 years ago

Sorry :D This link should be it but it doesn't offer much if you're not logged in: https://www.sourceclear.com/vulnerability-database/vulnerabilities/21514

rafollett commented 4 years ago

I also could use an updated release due to the Sourceclear issue.

cowtowncoder commented 4 years ago

Released 1.5.1, should be on its way to Maven Central.

gjoseph commented 4 years ago

Sorry for the late reply, but, excellent, thanks @cowtowncoder !