Reputation: 1926
Leiningen raises "Tried to use insecure HTTP repository without TLS." but for which dependency?
I'm using Leiningen to run a Clojure project on my Raspberry Pi 3 (running stretch), previously I used version 2.7.1 with no problems, but upgrading to the latest version on lein (2.8.1) I now get this error for some of the dependencies (but not others):
Tried to use insecure HTTP repository without TLS
However, lein doesn't tell me which dependencies are causing problems, so how do I discover which ones cause this error?
Also is it possible to disable this security feature for certain dependencies? I'm only running on a home network so consider this acceptable.
Upvotes: 7
Views: 3765
Answers (3)
Reputation: 4849
Answer edited after a comment correctly pointed out that the first method was showing only the immediate dependencies.
Generate the Maven POM:
lein pom Wrote .../pom.xmlFollowing this answer for Java https://stackoverflow.com/a/3270067/561422, use the Maven dependency plugin:
mvn dependency:purge-local-repository > raw.txt
Open raw.txt in an editor and search for the string http:, that should point you on the right track.
For example with Unix command-line tools:
Unsafe repos (searching for http:):
grep http: raw.txt
Downloading from example: http://unsafe.example.org
Upvotes: 4
Reputation: 1880
It's a bit difficult to see which extension causes the problem as they can include other deps as well.
You can still download the extension though.
From the lein FAQ; This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project, you can re-enable support for unprotected repositories by putting this at the top of your project.clj file:
;; allow insecure downloads
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
"http" #(org.apache.maven.wagon.providers.http.HttpWagon.))
For me this worked on several older project that were not updated. In the logs you can easily track which package was downloaded via http.
So this answers the : "Is it possible to disable the security" feature question from the OP.
The other question seems to have an answer on StackOverflow already. Display complete dependency tree with Leiningen
Upvotes: 0
Reputation: 1926
[Note: this is not my preferred solution, but it got my project working again].
Use Leiningen 2.7.1, which doesn't have such strict security checks. Download from: https://raw.githubusercontent.com/technomancy/leiningen/2.7.1/bin/lein
Upvotes: 1
Related Questions
- What are the leiningen default repositories?
- Unable to pull dependencies from central/clojars
- Leiningen: Tried to use insecure HTTP repository without TLS
- Can not require third-party library in lein repl
- How to solve "No credentials found for releases (did you mean `lein deploy clojars`?)"?
- Leiningen: Install issues on OSX Mountain Lion
- Unable to resolve clj-http
- Leiningen can't locate local dependency
- Leiningen can't resolve dependency containing a dash
- Dependencies in maven local repositories with leiningen