Recently sonatype enabled maven central to support https (background information). I've now added the following snippet to my pom.xml to force using https everywhere:
<!-- force https -->
<repositories>
<repository>
<id>central</id>
<url>https://repo1.maven.org/maven2</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>central</id>
<url>https://repo1.maven.org/maven2</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</pluginRepository>
</pluginRepositories>
Questions:
- Is this sufficient? Or will there be still http involved somewhere?
- Is this the correct way of doing it? As I've read that I should do this in the settings.xml instead. But then others using my (open source) project won't use the secure connection.
Update
It does not look sufficient as for e.g. the assembly plugin still HTTP is used:
[INFO] --- maven-assembly-plugin:2.4:single (make-assembly) @ graphhopper-web ---
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-jdk14/1.5.6/slf4j-jdk14-1.5.6.jar
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…