Leiningen:尝试在没有 TLS 的情况下使用不安全的 HTTP 存储库
Leiningen: Tried to use insecure HTTP repository without TLS
我正在尝试完成 Enlive tutorial。
当我在克隆的仓库中尝试 lein deps 或 lein run 时,我 运行 遇到了这个问题:
Tried to use insecure HTTP repository without TLS.
Leiningen 的最新版本已禁用不安全的依赖项下载。来自 FAQ:
Q: I got Tried to use insecure HTTP repository without TLS, what is that about?
A: This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project or can ensure that the only http traffic is going out over a trusted network, you can re-enable support for unsafe repositories by putting this in your project.clj file:
;; never do this
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
"http" #(org.apache.maven.wagon.providers.http.HttpWagon.))
It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this.
覆盖 project.clj 中的不安全 HTTP 存储库 URL:
如果我覆盖 enlive-tutorial/project.clj 中的以下存储库 URL,我能够成功克隆 enlive-tutorial 并执行 lein deps,只需将协议更改为 HTTPS:
:mirrors {"clojure" {:url "https://build.clojure.org/releases/"}
"clojure-snapshots" {:url "https://build.clojure.org/snapshots/"}}
看来 Moustache 是试图通过 HTTP 提取其依赖项的传递依赖项。
我正在尝试完成 Enlive tutorial。
当我在克隆的仓库中尝试 lein deps 或 lein run 时,我 运行 遇到了这个问题:
Tried to use insecure HTTP repository without TLS.
Leiningen 的最新版本已禁用不安全的依赖项下载。来自 FAQ:
Q: I got
Tried to use insecure HTTP repository without TLS, what is that about?A: This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project or can ensure that the only http traffic is going out over a trusted network, you can re-enable support for unsafe repositories by putting this in your
project.cljfile:
;; never do this
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
"http" #(org.apache.maven.wagon.providers.http.HttpWagon.))
It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an
:exclusionand report a bug with the dependency which does this.
覆盖 project.clj 中的不安全 HTTP 存储库 URL:
如果我覆盖 enlive-tutorial/project.clj 中的以下存储库 URL,我能够成功克隆 enlive-tutorial 并执行 lein deps,只需将协议更改为 HTTPS:
:mirrors {"clojure" {:url "https://build.clojure.org/releases/"}
"clojure-snapshots" {:url "https://build.clojure.org/snapshots/"}}
看来 Moustache 是试图通过 HTTP 提取其依赖项的传递依赖项。