Clojure Collector: do not allow dependencies requiring an HTTP repository

[wheller]

I'm receiving an error about an insecure dependency when I try to execute lein deps

snowplow/2-collectors/clojure-collector/java-servlet: master $ lein deps      
Tried to use insecure HTTP repository without TLS.
This is almost certainly a mistake; however in rare cases where it's
intentional please see `lein help faq` for details.

Unfortunately, I'm not familiar enough with leiningen or Clojure to trace which dependency is responsible. Happy to help debug if someone can point me in the right direction, I started with leiningen itself but... technomancy/leiningen#2372

[alexanderdean]

Hi @wheller - sounds like something has changed in the latest Leiningen to diverge from the assumptions in this repo.

[wheller]

I suspected something had changed recently. But as you can see from that bug report, leningen isn't exactly friendly to newcomers trying to debug.

[BenFradet]

Quoting the FAQ:

Q: I got Tried to use insecure HTTP repository without TLS, what is that about?
A: This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this in your project.clj file:
;; never do this
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
"http" #(org.apache.maven.wagon.providers.http.HttpWagon.))
It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this.

So we might have to add:

(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
 "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

or find out which dependency transitively relies on an HTTP repo.

[wheller]

Yeah I did read the FAQ too, but was discouraged at "If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this." and leningen leaving it up to you to figure out which one that is.

[wheller]

Oh, and I'm planning on plugging this into a CI chain that will rebuild when someone makes a change to our repo, so charging ahead doing something under the category of "never do this" seemed... unwise. At least before asking for help. :-)

[BenFradet]

Yes definitely, you might have some luck trying to update the dependencies as well, it might be worth a shot.

[worace]

Hi there, I found this issue via google while searching for solutions to the same problem. I eventually figured out a a way to track down transitive non-TLS deps using Maven. I wrote up the steps I used here: http://worace.works/2018/05/29/identify-non-https-transitive-leiningen-dependencies/.

Would be happy if this helps anyone as I have been dealing with this issue for a while now.

[BenFradet]

Interesting stuff, thanks 👍