Summary
co.fs2 domain registration expired, putting fs2 users at risk of a possible maven supply-chain attack since co.fs2 group id is used for all fs2 maven coordinates. Remediated by registering domain on January 18th and configuring redirect to https://typelevel.org/fs2/.
Details
https://www.sonatype.com/sonatypes-ongoing-commitment-to-maven-central
PoC
Had domain remain unregistered, the path to supply chain attacks would involve:
- Buy the co.fs2 domain
- Get publishing rights from sonatype
- Publish artifacts with a backdoor
Impact
No impact to users of fs2 and no actions are needed.
Resolution
I purchased co.fs2 domain from Squarespace Domains and configured a redirect to https://typelevel.org/fs2/. I also checked Sonatype and confirmed there were no new publishing permissions granted to co.fs2 group id.
-- @mpilquist
Summary
co.fs2 domain registration expired, putting fs2 users at risk of a possible maven supply-chain attack since
co.fs2group id is used for all fs2 maven coordinates. Remediated by registering domain on January 18th and configuring redirect to https://typelevel.org/fs2/.Details
https://www.sonatype.com/sonatypes-ongoing-commitment-to-maven-central
PoC
Had domain remain unregistered, the path to supply chain attacks would involve:
Impact
No impact to users of fs2 and no actions are needed.
Resolution
-- @mpilquist