gump-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Nightly Builds and Ant
Date Wed, 30 Jun 2004 11:11:10 GMT
On Wed, 30 Jun 2004, Leo Simons <lsimons@jicarilla.org> wrote:

> Ah, right. I have this idea where we build up our own private jar
> repository (currently ~/.ant-basic-profile and
> ~/.maven-basic-profile) that contains the trusted, released versions
> of the libraries.

Uhm, not ideal but it seems I'll have to live with it.

> Stefan Bodewig wrote:
>
>> What security threat am I missing?
> 
> For example, imagine I was the author of a weird library that some
> weird commons code depended on...it is entirely possible to write a
> task in an ant build.xml file that recompiles a class in tomcat and
> opens a back door. That might take a while to notice."

I see.  Even easier than that, a simple <copy> would do.  Thanks!

Where do we go from here?  Do I give you a list and a shell script to
play with or should I set something (non-cron'ed) up on brutus so you
can have a look at it?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@gump.apache.org
For additional commands, e-mail: general-help@gump.apache.org


Mime
View raw message