One thing which I detest about maven, it uses http by default. Getting it to use https requires a lot of work[1] so many don't use it.
By default, not only are you downloading a truck load of jars from the internet and running them locally, you are fetching them over an insecure channel!
What is HTTPS supposed to protect against in this case?
1) If you are using it to protect against snooping (why?!) then you must realise that the logs of many Maven repositories are effectively public (eg, I believe Apache committers can access the repo.maven logs pretty easily). For protection against snooping, use a local repo.
2) If you are expecting it to protect you against tampering in transport, then you are better off using a local repo (again). It's much more likely artifacts are tampered with at the remote repository rather than during the transport phase.
It's much more likely artifacts are tampered with at the remote repository rather than during the transport phase.
MITMing the public wifi at some coffee store is much easier than breaking into the official Maven repositories. At least I hope so. That's why RPM and DPKG packages are signed.
Ok, but the impact of hacking the official repo, vs sitting at some coffee store hoping someone in the same coffee store builds a project using a particular lib you have code to modify on the fly while you mitm that exact repo pull?
He said much more likely the repo is tampered with. Easy to see why. This coffee shop scenario, they'd have to be targeting you personally and know your habits and your build and code they need to target you. In which case, https is far from your biggest concern.
Replace "coffee shop" by "software conference hall" and "specific lib" by "current log4j/junit/whatever very common library you want".
Suddenly it's a lot less targeted attack. Moreover, the "victims" should be of much higher profile than your regular student downloading an obscure library whose repo you managed to hack.
Not that I think it's a particularly important security concern. However, when you are dealing with security concerns, the fact that you can't make up a situation that sounds bad enough doesn't mean that nobody else can't.
Update: sorry for the wording of the last sentence (non-native speaker here). I'll be glad if someone can correct it, because I can't figure out how to construct it to sound well.
It's for when you trust the public repo operator, you trust the authors of the package you're downloading, you trust your local machine, you trust the repo operator's SSL CA, but you don't trust the connection from your computer to the public repo.
https is useless for package management, given that most people are downloading from mirrors. What you want is a signature over the entire repository, like Debian and Ubuntu do (not just signing individual packages, like Fedora does). Once you have that, you don't need HTTPS.
By default, not only are you downloading a truck load of jars from the internet and running them locally, you are fetching them over an insecure channel!
[1]: http://maven.apache.org/guides/mini/guide-repository-ssl.htm...