Leiningen raises "Tried to use insecure HTTP repository without TLS." but for which dependency?

Asked 15/1, 2018 at 17:51 Answered 10/3, 2018 at 13:0

I'm using Leiningen to run a Clojure project on my Raspberry Pi 3 (running stretch), previously I used version 2.7.1 with no problems, but upgrading to the latest version on lein (2.8.1) I now get this error for some of the dependencies (but not others):

Tried to use insecure HTTP repository without TLS

However, lein doesn't tell me which dependencies are causing problems, so how do I discover which ones cause this error?

Also is it possible to disable this security feature for certain dependencies? I'm only running on a home network so consider this acceptable.

Ducan answered 15/1, 2018 at 17:51 Comment(3)

See the FAQ for this, github.com/technomancy/leiningen/blob/2.8.1/doc/FAQ.md#faq. – Colucci 15/1, 2018 at 22:0

Perhaps post you :dependencies from project.clj? – Electronarcosis 16/1, 2018 at 0:31

I've read the FAQ but it doesn't say how to discover the problem dependencies. – Ducan 16/1, 2018 at 11:8

Answer edited after a comment correctly pointed out that the first method was showing only the immediate dependencies.

Generate the Maven POM:
```
lein pom
Wrote .../pom.xml
```
Following this answer for Java https://mcmap.net/q/1624901/-maven2-how-to-list-all-resources-repository-url-from-pom-file, use the Maven dependency plugin:
```
mvn dependency:purge-local-repository > raw.txt
```

Open raw.txt in an editor and search for the string http:, that should point you on the right track.

For example with Unix command-line tools:

Unsafe repos (searching for http:):

grep http: raw.txt
Downloading from example: http://unsafe.example.org

Seger answered 10/3, 2018 at 13:0 Comment(3)

This answers only one of the questions. The pom.xml seems to only show first line deps. So when a dependency relies on an unsafe dependency you won't find it. – Angevin 15/3, 2018 at 22:25

@Angevin you are right. I updated my answer accordingly. – Seger 16/3, 2018 at 20:0

The format of the raw.txt doesn't help you determine which top-level dependency listed in project.clj is the cause. You could use "mvn dependency:tree -Dverbose=true" which will list the missing dependency in a form similar to: "[ERROR] Failed to execute goal on project lotusflare-funnel: Could not resolve dependencies for project Could not transfer artifact org.clojure:clojure:pom:1.3.0-alpha2 from/to clojure (build.clojure.org/releases): Access denied to: build.clojure.org/releases/org/clojure/clojure/1.3.0-alpha2/… , ReasonPhrase:Forbidden." " – Prudence 18/3, 2018 at 6:17

[Note: this is not my preferred solution, but it got my project working again].

Use Leiningen 2.7.1, which doesn't have such strict security checks. Download from: https://raw.githubusercontent.com/technomancy/leiningen/2.7.1/bin/lein

Ducan answered 16/1, 2018 at 11:9 Comment(0)

It's a bit difficult to see which extension causes the problem as they can include other deps as well.

You can still download the extension though.

From the lein FAQ; This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this at the top of your project.clj file:

;; allow insecure downloads
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
 "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

For me this worked on several older project that were not updated. In the logs you can easily track which package was downloaded via http.

So this answers the : "Is it possible to disable the security" feature question from the OP.

The other question seems to have an answer on StackOverflow already. Display complete dependency tree with Leiningen

Angevin answered 9/3, 2018 at 23:41 Comment(0)

Recommended topics

Hot tags