Recent leiningen won't download from http-only repository

[ojw]

Recent versions of leiningen (I've tested with 2.8.1) will refuse to download from http repositories.

The tutorial document suggests using

:repositories [["arachne-dev" "http://maven.arachne-framework.org/artifactory/arachne-dev"]]

, but leiningen will complain about this:

Tried to use insecure HTTP repository without TLS.
This is almost certainly a mistake; however in rare cases where it's
intentional please see `lein help faq` for details.

The relevant section of len help faq says:

Q: I got Tried to use insecure HTTP repository without TLS, what is that about?
A: This means your project was configured to download dependencies
from a repository that does not use TLS encryption. This is very
insecure and exposes you to trivially-executed man-in-the-middle attacks.
In the rare event that you don't care about the security of the machines
running your project, you can re-enable support for unprotected repositories
by putting this in your project.clj file:

;; never do this
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
"http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

It's also possible you have a dependency which includes a reference to
an insecure repository for retrieving its own dependencies. If this
happens it is strongly recommended to add an :exclusion and report a
bug with the dependency which does this.

There is a workaround, but the best solution seems to be to add https support for the arachne repositories. Is that an option? Or is there other guidance you can provide to anyone looking to use arachne, but concerned about the security of downloading build artifacts over http?

(I'm not sure if this is the best of the various arachne repos to use to report this issue - if there's a better on, I can post it there.)

[arachne-bot]

Yeah, this is a change in lein 2.8. Non-https repos are not supported. However, it is a fair amount of effort for me to install a cert on maven.arachne-framework.org. I'd need to install nginx on that box and set up a forward proxy and get a key etc etc. I probably will not go to the trouble because: - Production versions of Arachne will go to Clojars, not the dev artifactory server - I am going to be moving to using Clojure git deps for development, forgoing the need to build dev artifacts at all. So for now I recommend doing what it says not to do. You're no less secure then you were when you were running lein 2.7. Thanks, -Luke

…

On Mon, Feb 12, 2018 at 11:38 AM, James ***@***.***> wrote: Recent versions of leiningen (I've tested with 2.8.1) will refuse to download from http repositories. The tutorial document suggests using :repositories [["arachne-dev" "http://maven.arachne-framework.org/artifactory/arachne-dev"]] , but leiningen will complain about this: Tried to use insecure HTTP repository without TLS. This is almost certainly a mistake; however in rare cases where it's intentional please see `lein help faq` for details. The relevant section of len help faq says: *Q:* I got Tried to use insecure HTTP repository without TLS, what is that about? *A:* This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this in your project.clj file: ;; never do this (require 'cemerick.pomegranate.aether) (cemerick.pomegranate.aether/register-wagon-factory! "http" #(org.apache.maven.wagon.providers.http.HttpWagon.)) It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this. There is a workaround, but the best solution seems to be to add https support for the arachne repositories. Is that an option? Or is there other guidance you can provide to anyone looking to use arachne, but concerned about the security of downloading build artifacts over http? (I'm not sure if this is the best of the various arachne repos to use to report this issue - if there's a better on, I can post it there.) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#34>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATZcvkwpflL0BfLV8K-7hZ_EC6siKOGeks5tUGj-gaJpZM4SCdh6> .

[ojw]

Thanks for the explanation.

Are there examples anywhere of using Clojure git deps with Arachne? Is there a timeline of when you expect to either have a production version on Clojars, or when you'll switch to git for dev dependencies?

In the meantime I'll follow your recommendation to use the workaround (or pass dependencies around manually, I guess).

[devn]

Suggestion to update the getting started docs to the happy path for people interested in kicking the tires on Arachne.