Wednesday, November 15, 2017

Not using SSL to connect to Maven? dilettante (=amateur) !

If you want to play a trick on your friends, you can use Dilettante to man-in-the-middle a Maven Repository request and inject some bad behaviour, the source code is here but don't do in your company, you might not win friends.

Very interesting reading

You can upgrade your URL to HTTPS at no cost (it used to be a paying service)

Use this , not

To run a verification of your build dependent artifacts:

mvn com.github.s4u.plugins:pgpverify-maven-plugin:check

you can create locally a gpg key:

gpg --gen-key
gpg --list-keys
gpg --list-secret-keys

to verify a component:
gpg --verify plexus-cipher-1.7.jar.asc plexus-chipher-1.7.jar

Very good article on XBI (cross build injection)

and about verifying components using MIT key repo :

Interesting Maven plugin to whitelist components in a build

and here another similar Maven plugin to check PGP signature

No comments: