Are you using Bintray JCenter to find and share public OSS JVM language packages? If so, we have some important news for you to help keep your builds running without interruption.
Starting in January 2020, JCenter will only serve requests made with HTTPS. From that point on, all requests made with HTTP will be denied and any builds that use a JCenter URL with the non-secure HTTP protocol will fail.
The TL;DR? Update your tools with a URL that uses HTTPS as soon as you can. That’s all you really need to do to be certain all your builds will continue to run smoothly with JCenter.
To ease the transition for JCenter users, the change is coming in two phases:
- October 1, 2019: HTTP requests to JCenter will automatically be redirected to HTTPS.
- January 13, 2020: HTTP requests to JCenter will be denied. Only HTTPS will be supported.
If you want to know more, here are some answers to questions you’re likely to have:
JCenter is a central repository on JFrog Bintray platform for finding and sharing popular JVM language packages in Maven format, used by Maven, Gradle, Ivy, SBT, and others to build Java, Groovy, Kotlin, Scala and others. JCenter is the most comprehensive source for OSS Maven packages, hosting over 340,000 public packages.
HTTPS support on JCenter isn’t new. JCenter supported secure HTTPS from day 0, and it’s always been the recommended transport protocol to access any repository on Bintray. Support for HTTPS has been one of many components of JFrog’s commitment to content integrity. We’ve permitted access using HTTP protocol as well, but soon we won’t.
Because we care about your security. HTTP is an unencrypted transfer protocol that is vulnerable to eavesdropping and tampering. Particularly important to JCenter users, HTTP transfers enable man-in-the-middle attacks that can be performed on JAR artifacts. As a protocol that uses bidirectional encrypted transmissions, HTTPS provides an essential level of protection.
If your URLs are already using HTTPS, you don’t need to do anything. Congratulate yourself for good security practice, but remember, that HTTPS is not enough!
You should still update your URLs to use HTTPS as soon as possible.
If you miss any you will still be okay after the first change in October. After October 1st, look for redirect messages in your logs, to help you find all of the places where you need to change to HTTPS before the end of the year. After January 13th, your builds will fail for any URLs you didn’t update.
Update your URLs to use HTTPS right away. If you don’t, and your tools don’t support redirects, your builds will fail beginning in October.