[deps] All pulling from http maven repos

Question

Follow up to the following slack:
https://clojurians.slack.com/archives/C6QH853H8/p1677508334883579

Maven has disallowed pulling from http repos, however it would be nice to be able to override this https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

thanks

Answer 1

I made it possible to re-enable this in the 1.11.1.1237 release today by setting the env var CLOJURE_CLI_ALLOW_HTTP_REPO.

Answer 2

If you or others need this flag, I would be interested in learning about what scenario you have where this is needed.

One I know of is having an internal Maven proxy (like Nexus) that is http - the recommendation from Nexus is to put that under https as well.