lombok.ast icon indicating copy to clipboard operation
lombok.ast copied to clipboard

Published 20 hours ago verified publisher icon rzwitserloot

use HTTPS to protect developers

Open eighthave opened this issue 9 years ago • 1 comments

The build system here downloads and executes lots of jars via plain text HTTP connections. This is a large security risk: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

And there is a simple fix that will help a lot, switch the URLs to use HTTPS: find * -name \*.xml|xargs sed -i 's,http://projectlombok.org,https://projectlombok.org,g'

And changing this in buildScripts/ivysettings.xml works for me: <ibiblio name="maven-repo2" m2compatible="true" root="https://repo1.maven.org/maven2" />

This same issue also applies to lombok and ivyplusplus.

eighthave avatar Dec 18 '15 09:12 eighthave

Last year we've moved the project lombok website to https, introduced the HSTS header, and changed the lombok project to https. Now it's time for this project. Fixed it locally, will push soon.

rspilker avatar Dec 18 '15 17:12 rspilker