search

takari / maven-wrapper

The easiest way to integrate Maven into your project!
Apache License 2.0
1.59k stars 234 forks source link

Switch from http to https. #131

Closed gregturn closed 4 years ago

gregturn commented 5 years ago

To avoid potential MITM attacks, use https everywhere.

mosabua commented 5 years ago

Where does this actually do anything useful besides reformatting and changing comments?

gregturn commented 5 years ago

The real power is the addition of nohttp-checkstyle that guards against any usages of http in the source code. The plugin scans everything, so it does alert to things that are, indeed, just comments.

The chances of some attack vector making its way through an unsecured link found, for example, in a header comment sounds slim to none. But by making this simple edit, any such risk is taken off the table of ever possibly happening. With little effort.

Regarding the changes in Import statements, I apologize for that. I didn't spy any code formatter settings to it probably tweaked things per those settings.

ottlinger commented 5 years ago

The official license text/header of ASF2.0 does not contain https .... https://www.apache.org/licenses/LICENSE-2.0

gregturn commented 5 years ago

I have no control over that.

ottlinger commented 5 years ago

Sry for the misunderstanding - I meant to say that from a legal standpoint the license should not be changed to https as it is http in original.

gregturn commented 5 years ago

Respectively disagree.

A) No wording of the license has been altered. Only the protocol of a link, a link that itself is now secured by the ASF itself. Not being a lawyer, I would never alter a given word since words have more precise meanings in lawyerese. But we’re talking about a link.

B) The licensing of this project isn’t dependent upon retaining parity with the ASF’s website. In other words, nothing in the license says that adjusting the protocol would invalidate it.

Hence I conclude that migrating a link toward a format actually served by default from the ASF is an agreeable alteration of the legal prose that allows adoption of the no-http plugin.

Just my $0.02.

mosabua commented 4 years ago

This project is essentially frozen for development and new efforts are ongoing in the Apache Maven project itself. We therefore close this PR. Please find more information at https://github.com/takari/maven-wrapper#ongoing-migration-to-apache-maven and participate in the development there.