Why does Hybris ship insecure http maven repository URL? And why can't we override it?

Question

In apache-ant/lib/libraries.properties

m2.repo=http://repo1.maven.org/maven2/

What is the point of shipping Hybris with http URL?
It cannot be accessed in the first place, let alone used for downloading.
Ideally, it should be an https URL.

m2.repo=https://repo1.maven.org/maven2/

I tried overriding it by redeclaring this property in local.properties. When that did not pick the new value, I changed it to https in apache-ant/lib/libraries.properties, but it is still picking http. How to override this property?

Error logs:

[artifact:mvn] Downloading: org/apache/maven/apache-maven/3.2.5/apache-maven-3.2.5.pom from repository central at http://repo1.maven.org/maven2
[artifact:mvn] Error transferring file: Operation timed out (Connection timed out)
[artifact:mvn] [WARNING] Unable to get resource 'org.apache.maven:apache-maven:pom:3.2.5' from repository central (http://repo1.maven.org/maven2): Error transferring file: Operation timed out (Connection timed out)
     [null] An error has occurred while processing the Maven artifact tasks.
     [null]  Diagnosis:
     [null] 
     [null] Unable to resolve artifact: Missing:
     [null] ----------
     [null] 1) org.apache.maven:apache-maven:pom:3.2.5
     [null]   Path to dependency: 
     [null]     1) org.apache.maven:super-pom:pom:2.0
     [null]     2) org.apache.maven:apache-maven:pom:3.2.5
     [null] 
     [null] ----------
     [null] 1 required artifact is missing.
     [null] 
     [null] for artifact: 
     [null]   org.apache.maven:super-pom:pom:2.0
     [null] 
     [null] from the specified remote repositories:
     [null]   central (http://repo1.maven.org/maven2)
     [null] 
     [null] 

BUILD FAILED

Answer 1

You can override this by setting up your $HOME/.m2/settings.xml file.

For example:

    <?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <profiles>
        <profile>
            <id>default</id>
            <repositories>
                <repository>
                    <releases>
                        <enabled>true</enabled>
                    </releases>
                    <snapshots>
                        <enabled>true</enabled>
                    </snapshots>
                    <id>central</id>
                    <url>https://repo1.maven.org/maven2</url>
                </repository>
            </repositories>
            <pluginRepositories>
                <pluginRepository>
                    <releases>
                        <enabled>true</enabled>
                    </releases>
                    <snapshots>
                        <enabled>true</enabled>
                    </snapshots>
                    <id>central</id>
                    <url>https://repo1.maven.org/maven2</url>
                </pluginRepository>
            </pluginRepositories>
        </profile>
    </profiles>

    <activeProfiles>
        <activeProfile>default</activeProfile>
    </activeProfiles>

</settings>

Answer 2

Redeclaring m2.repo in local.properties won't work as there is no such property loaded by Hybris. You can verify it by searching for m2.repo in hAC > Platform > Configuration (or simply at https://localhost:9002/platform/config).

Modifying it in apache-ant/lib/libraries.properties should work if you execute ant. Please let me know if it is not the case and I will try to find some other option.

When that did not pick the new value, I changed it to https in apache-ant/lib/libraries.properties, but it is still picking http. How to override this property?

It would be helpful if you mention where do you see it picking http. Please mention the steps to replicate this behavior.