Rainer Noack wrote:
> Hi Steve
>
> Your security issues sounds very reasonable for me.
>
> I've never thought of this, as I've used the URL option rarely
> in practice and only for LAN access where security was irrelevant.
> Another reason is, that I've no experience with this stuff.
>
> Do you think, it could be a blocker?
>
> What is the best solution in the case, there is nobody who is more
> familiar with this stuff and implements the security issues now?
> a) Contribute as is and document this issue in the task documentation
> until it's hopefully implemented later or
> b) Change the task, so that it does not accept non-file URLs (should be
> no big deal) or accepts only the original Path type instead of the
> extended one.
>
> Regards,
> Rainer
I think for a build process you are taking your own risks. The danger is
that if people do bind to remote URLs for stuff, they create a new back
door. We should document that :)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
|