arachne-framework / arachne-docs

Documentation repo for Arachne
12 stars 19 forks source link

Recent leiningen won't download from http-only repository #34

Open ojw opened 6 years ago

ojw commented 6 years ago

Recent versions of leiningen (I've tested with 2.8.1) will refuse to download from http repositories.

The tutorial document suggests using

:repositories [["arachne-dev" "http://maven.arachne-framework.org/artifactory/arachne-dev"]]

, but leiningen will complain about this:

Tried to use insecure HTTP repository without TLS.
This is almost certainly a mistake; however in rare cases where it's
intentional please see `lein help faq` for details.

The relevant section of len help faq says:

Q: I got Tried to use insecure HTTP repository without TLS, what is that about?
A: This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this in your project.clj file:

;; never do this (require 'cemerick.pomegranate.aether) (cemerick.pomegranate.aether/register-wagon-factory! "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this.

There is a workaround, but the best solution seems to be to add https support for the arachne repositories. Is that an option? Or is there other guidance you can provide to anyone looking to use arachne, but concerned about the security of downloading build artifacts over http?

(I'm not sure if this is the best of the various arachne repos to use to report this issue - if there's a better on, I can post it there.)

arachne-bot commented 6 years ago

Yeah, this is a change in lein 2.8. Non-https repos are not supported.

However, it is a fair amount of effort for me to install a cert on maven.arachne-framework.org. I'd need to install nginx on that box and set up a forward proxy and get a key etc etc.

I probably will not go to the trouble because:

So for now I recommend doing what it says not to do. You're no less secure then you were when you were running lein 2.7.

Thanks, -Luke

On Mon, Feb 12, 2018 at 11:38 AM, James notifications@github.com wrote:

Recent versions of leiningen (I've tested with 2.8.1) will refuse to download from http repositories.

The tutorial document suggests using

:repositories [["arachne-dev" "http://maven.arachne-framework.org/artifactory/arachne-dev"]]

, but leiningen will complain about this:

Tried to use insecure HTTP repository without TLS. This is almost certainly a mistake; however in rare cases where it's intentional please see lein help faq for details.

The relevant section of len help faq says:

Q: I got Tried to use insecure HTTP repository without TLS, what is that about? A: This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this in your project.clj file:

;; never do this (require 'cemerick.pomegranate.aether) (cemerick.pomegranate.aether/register-wagon-factory! "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this.

There is a workaround, but the best solution seems to be to add https support for the arachne repositories. Is that an option? Or is there other guidance you can provide to anyone looking to use arachne, but concerned about the security of downloading build artifacts over http?

(I'm not sure if this is the best of the various arachne repos to use to report this issue - if there's a better on, I can post it there.)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/arachne-framework/arachne-docs/issues/34, or mute the thread https://github.com/notifications/unsubscribe-auth/ATZcvkwpflL0BfLV8K-7hZ_EC6siKOGeks5tUGj-gaJpZM4SCdh6 .

ojw commented 6 years ago

Thanks for the explanation.

Are there examples anywhere of using Clojure git deps with Arachne? Is there a timeline of when you expect to either have a production version on Clojars, or when you'll switch to git for dev dependencies?

In the meantime I'll follow your recommendation to use the workaround (or pass dependencies around manually, I guess).

devn commented 6 years ago

Suggestion to update the getting started docs to the happy path for people interested in kicking the tires on Arachne.