From 75e609cba212ce27c7259ed8ff6d223b9cc2731e Mon Sep 17 00:00:00 2001 From: Eugene Yokota Date: Wed, 28 Aug 2019 15:30:38 -0400 Subject: [PATCH 1/3] Deprecate HTTP resolvers (take 2) Ref https://github.com/sbt/sbt/issues/4905 This is a companion PR to https://github.com/sbt/librarymanagement/pull/318. This will print the following warnings: ``` sbt:hello> compile [warn] insecure HTTP request is deprecated 'Artifact(jsoup, jar, jar, None, Vector(), Some(http://jsoup.org/packages/jsoup-1.9.1.jar), Map(), None, false)'; switch to HTTPS or opt-in using from(url(...), allowInsecureProtocol = true) on ModuleID or .withAllowInsecureProtocol(true) on Artifact [warn] insecure HTTP request is deprecated 'http://repo.typesafe.com/typesafe/releases/'; switch to HTTPS or opt-in as ("Typesafe Releases" at "http://repo.typesafe.com/typesafe/releases/").withAllowInsecureProtocol(true) [warn] insecure HTTP request is deprecated 'http://repo.typesafe.com/typesafe/releases/'; switch to HTTPS or opt-in as ("Typesafe Releases" at "http://repo.typesafe.com/typesafe/releases/").withAllowInsecureProtocol(true) [warn] insecure HTTP request is deprecated 'http://repo.typesafe.com/typesafe/releases/'; switch to HTTPS or opt-in as ("Typesafe Releases" at "http://repo.typesafe.com/typesafe/releases/").withAllowInsecureProtocol(true) [warn] insecure HTTP request is deprecated 'Patterns(ivyPatterns=Vector(), artifactPatterns=Vector(http://repo.typesafe.com/typesafe/releases/[organisation]/[module](_[scalaVersion])(_[sbtVersion])/[revision]/[artifact]-[revision](-[classifier]).[ext]), isMavenCompatible=true, descriptorOptional=false, skipConsistencyCheck=false)'; switch to HTTPS or opt-in as Resolver.url("Typesafe Ivy Releases", url(...)).withAllowInsecureProtocol(true) [warn] insecure HTTP request is deprecated 'Patterns(ivyPatterns=Vector(), artifactPatterns=Vector(http://repo.typesafe.com/typesafe/releases/[organisation]/[module](_[scalaVersion])(_[sbtVersion])/[revision]/[artifact]-[revision](-[classifier]).[ext]), isMavenCompatible=true, descriptorOptional=false, skipConsistencyCheck=false)'; switch to HTTPS or opt-in as Resolver.url("Typesafe Ivy Releases", url(...)).withAllowInsecureProtocol(true) [warn] insecure HTTP request is deprecated 'Patterns(ivyPatterns=Vector(), artifactPatterns=Vector(http://repo.typesafe.com/typesafe/releases/[organisation]/[module](_[scalaVersion])(_[sbtVersion])/[revision]/[artifact]-[revision](-[classifier]).[ext]), isMavenCompatible=true, descriptorOptional=false, skipConsistencyCheck=false)'; switch to HTTPS or opt-in as Resolver.url("Typesafe Ivy Releases", url(...)).withAllowInsecureProtocol(true) ``` --- main/src/main/scala/sbt/Defaults.scala | 13 ++++++++++++- .../src/main/scala/sbt/coursierint/LMCoursier.scala | 1 + project/Dependencies.scala | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/main/src/main/scala/sbt/Defaults.scala b/main/src/main/scala/sbt/Defaults.scala index be0fb5a42..d5085ad8f 100755 --- a/main/src/main/scala/sbt/Defaults.scala +++ b/main/src/main/scala/sbt/Defaults.scala @@ -2548,6 +2548,14 @@ object Classpaths { } } + private[sbt] def warnInsecureProtocol(ress: Seq[Resolver], log: Logger): Unit = { + ress.foreach(_.validateProtocol(log)) + } + // this warns about .from("http:/...") in ModuleID + private[sbt] def warnInsecureProtocolInModules(mods: Seq[ModuleID], log: Logger): Unit = { + mods.foreach(_.validateProtocol(log)) + } + private[sbt] def defaultProjectID: Initialize[ModuleID] = Def.setting { val base = ModuleID(organization.value, moduleName.value, version.value) .cross(crossVersion in projectID value) @@ -2573,10 +2581,12 @@ object Classpaths { new IvySbt(ivyConfiguration.value, CustomHttp.okhttpClient.value) } def moduleSettings0: Initialize[Task[ModuleSettings]] = Def.task { + val deps = allDependencies.value.toVector + warnInsecureProtocolInModules(deps, streams.value.log) ModuleDescriptorConfiguration(projectID.value, projectInfo.value) .withValidate(ivyValidate.value) .withScalaModuleInfo(scalaModuleInfo.value) - .withDependencies(allDependencies.value.toVector) + .withDependencies(deps) .withOverrides(dependencyOverrides.value.toVector) .withExcludes(allExcludeDependencies.value.toVector) .withIvyXML(ivyXML.value) @@ -3203,6 +3213,7 @@ object Classpaths { val (rs, other) = (fullResolvers.value.toVector, otherResolvers.value.toVector) val s = streams.value warnResolversConflict(rs ++: other, s.log) + warnInsecureProtocol(rs ++: other, s.log) InlineIvyConfiguration() .withPaths(ivyPaths.value) .withResolvers(rs) diff --git a/main/src/main/scala/sbt/coursierint/LMCoursier.scala b/main/src/main/scala/sbt/coursierint/LMCoursier.scala index 4d7a896fe..9e762148d 100644 --- a/main/src/main/scala/sbt/coursierint/LMCoursier.scala +++ b/main/src/main/scala/sbt/coursierint/LMCoursier.scala @@ -91,6 +91,7 @@ object LMCoursier { val sbtScalaOrganization = "org.scala-lang" // always assuming sbt uses mainline scala val userForceVersions = Inputs.forceVersions(depsOverrides, scalaVer, scalaBinaryVer) Classpaths.warnResolversConflict(rs, log) + Classpaths.warnInsecureProtocol(rs, log) CoursierConfiguration() .withResolvers(rs.toVector) .withInterProjectDependencies(interProjectDependencies.toVector) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index b5bcf9d1c..f6db9b1f0 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -15,7 +15,7 @@ object Dependencies { private val lmVersion = sys.props.get("sbt.build.lm.version") match { case Some(version) => version - case _ => nightlyVersion.getOrElse("1.3.0-M6") + case _ => nightlyVersion.getOrElse("1.3.0-M7") } val zincVersion = nightlyVersion.getOrElse("1.3.0-M9") From caaa8f1fb5f16fd7342f6583ba38fa17b841ca4b Mon Sep 17 00:00:00 2001 From: Eugene Yokota Date: Wed, 28 Aug 2019 23:21:56 -0400 Subject: [PATCH 2/3] io 1.3.0-M17, lm 1.3.0-M8 --- project/Dependencies.scala | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index f6db9b1f0..7eefce6f3 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -10,12 +10,12 @@ object Dependencies { def nightlyVersion: Option[String] = sys.props.get("sbt.build.version") // sbt modules - private val ioVersion = nightlyVersion.getOrElse("1.3.0-M16") + private val ioVersion = nightlyVersion.getOrElse("1.3.0-M17") private val utilVersion = nightlyVersion.getOrElse("1.3.0-M10") private val lmVersion = sys.props.get("sbt.build.lm.version") match { case Some(version) => version - case _ => nightlyVersion.getOrElse("1.3.0-M7") + case _ => nightlyVersion.getOrElse("1.3.0-M8") } val zincVersion = nightlyVersion.getOrElse("1.3.0-M9") From 377c6dd661442afa1c0b0c7d15cc9ce4a808abff Mon Sep 17 00:00:00 2001 From: Eugene Yokota Date: Wed, 28 Aug 2019 23:56:08 -0400 Subject: [PATCH 3/3] util 1.3.0-M11 --- project/Dependencies.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 7eefce6f3..7bbe8f4f0 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -11,7 +11,7 @@ object Dependencies { // sbt modules private val ioVersion = nightlyVersion.getOrElse("1.3.0-M17") - private val utilVersion = nightlyVersion.getOrElse("1.3.0-M10") + private val utilVersion = nightlyVersion.getOrElse("1.3.0-M11") private val lmVersion = sys.props.get("sbt.build.lm.version") match { case Some(version) => version