Leiningen also uses Clojars over HTTPS by default, I believe, so even without a ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		weavejester on July 29, 2014 \| parent \| context \| favorite \| on: How to take over the computer of a Maven Central u... Leiningen also uses Clojars over HTTPS by default, I believe, so even without a web of trust, Clojars is still more secure than Central.

technomancy on July 29, 2014 [–]

Technically true, but practically this doesn't mean anything.

No one uses Clojars on its own, so if an attacker were able to perform a MITM attack, they could inject a spoofed library into the connection to Central even if the library should be fetched from Clojars.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact