apache
add Reproducible Central Report
see sample report https://maven.apache.org/plugins/maven-artifact-plugin/reproducible-central.html
uh, looking at example, it seems badges are now blocked by csp (were not less than one month ago) I'm not an expert, help appreciated to explain what exactly causes that, what should be done (probably at maven.apache.org site? or can be done in the report html page independently from site?)
ok, researching: https://en.wikipedia.org/wiki/Content_Security_Policy https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
I suppose some more restrictive CSP have been configured ASF-wide, need to find a pointer...
https://infra.apache.org/csp.html supposed to be become effective March 1, 2025. Not sure this is what is currently causing the issue, but perhaps there is an intermediate step
https://privacy.apache.org/policies/website-policy.html
- Using Assets from other Domains Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from other domains cannot be loaded. All assets need to be hosted on ASF servers.
this may be that one that has been enabled over the past month
@niallkp do you confirm that maven.apache.org webserver csp has been updated during last month to enforce that "4. Using Assets from other Domains" restriction, please?
@niallkp do you confirm that maven.apache.org webserver csp has been updated during last month to enforce that "4. Using Assets from other Domains" restriction, please?
@hboutemy Infra were going to implement the CSP temporarily on 1st February (yesterday) for testing purposes - but its not supposed to go permanently live until 1st March 2025. Heres the email with the plan (I think you need to be logged in to PonyMail to see):
- https://lists.apache.org/thread/w34sd92v4rz3j28hyddmt5tbprbdq6lc
I don't know if Infra have turned that on or not for testing - would need to ask them.
