TechQA.

Leiningen raises "Tried to use insecure HTTP repository without TLS." but for which dependency?

3.6k views Asked by At

I'm using Leiningen to run a Clojure project on my Raspberry Pi 3 (running stretch), previously I used version 2.7.1 with no problems, but upgrading to the latest version on lein (2.8.1) I now get this error for some of the dependencies (but not others):

Tried to use insecure HTTP repository without TLS

However, lein doesn't tell me which dependencies are causing problems, so how do I discover which ones cause this error?

Also is it possible to disable this security feature for certain dependencies? I'm only running on a home network so consider this acceptable.

clojure leiningen clojars
Original Q&A
3

There are 3 answers

0
Eric Clack On

[Note: this is not my preferred solution, but it got my project working again].

Use Leiningen 2.7.1, which doesn't have such strict security checks. Download from: https://raw.githubusercontent.com/technomancy/leiningen/2.7.1/bin/lein

0
acidjunk On

It's a bit difficult to see which extension causes the problem as they can include other deps as well.

You can still download the extension though.

From the lein FAQ; This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this at the top of your project.clj file:

;; allow insecure downloads
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
 "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

For me this worked on several older project that were not updated. In the logs you can easily track which package was downloaded via http.

So this answers the : "Is it possible to disable the security" feature question from the OP.

The other question seems to have an answer on StackOverflow already. Display complete dependency tree with Leiningen

3
marco.m On

Answer edited after a comment correctly pointed out that the first method was showing only the immediate dependencies.

  1. Generate the Maven POM:

    lein pom
Wrote .../pom.xml

  2. Following this answer for Java https://stackoverflow.com/a/3270067/561422, use the Maven dependency plugin:

    mvn dependency:purge-local-repository > raw.txt

Open raw.txt in an editor and search for the string http:, that should point you on the right track.

For example with Unix command-line tools:

Unsafe repos (searching for http:):

grep http: raw.txt
Downloading from example: http://unsafe.example.org

Related Questions in CLOJURE

Related Questions in LEININGEN

Related Questions in CLOJARS

Popular Questions

Trending Questions