Drop/replace insecure dependencies

[rbuchmann]

What kind an issue is this?

Security issue in the way dependencies are handled

Issue description

The build.gradle file includes a LOT of repositories over http, which potentially exposes every user of the library to trivially executed MITM attacks.

Steps to reproduce

Found by using elasticsearch-hadoop with a newer version of leiningen, where the code to reproduce is simply

lein deps

More information https://github.com/technomancy/leiningen/blob/master/doc/FAQ.md ,
under "I got 'Tried to use insecure HTTP repository without TLS' ..."

[jbaiera]

A note here: Most of cascading's site does not work with HTTPS. This means that the conjars repo must remain http for the time being. There's not much we can do about this unless they support security on their end as well.

[devurandom]

@jbaiera Since Elastic's users are at a significant risk until all repositories are secured, would it be possible to host a verified copy of the Cascading artifacts on e.g. Clojars, until Cascading / Concurrent, Inc. / Driven, Inc. / Xplenty, Inc. can fix their infrastructure?

[saggineumann]

@devurandom SSL support was added to https://www.conjars.org/ on Feb 20

[jbaiera]

I've just pushed an update that clears up the http usage with conjars repo.