incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davanum Srinivas" <dava...@gmail.com>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Wed, 09 Jul 2008 23:42:23 GMT
Jukka,

fwiw. My objection(s) had nothing to do with security.

thanks,
dims

On Wed, Jul 9, 2008 at 6:25 PM, Jukka Zitting <jukka.zitting@gmail.com> wrote:
> Hi,
>
> On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <pquerna@apache.org> wrote:
>> Noel J. Bergman wrote:
>>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>>> the issues, there does not appear to be anything that we can do about
>>> Maven's flaws short of banning use of the public Maven repositories entirely.
>>
>> +1.
>>
>> If this was how debian ran packages or freebsd managed the ports collection,
>> there would of already been an exploit incident.
>>
>> We are running on borrowed time, and I don't understand why the PMC
>> continues to promote features with a completely broken security model.
>
> Frankly I don't see what's so "completely broken" about the Maven
> repository. Lack of automatic signature checking?
>
> For comparison: CPAN has been available for well over a decade and it
> has had signature checking for less than three years now. And the
> feature is still optional, disabled by default.
>
> Another comparison: Apache releases come with digital signatures, but
> it's up to the users to manually verify them. Download statistics
> indicate that the vast majority of users never even look at the
> signatures. As it stands, signature checking is optional and disabled
> by default.
>
> So, while I do appreciate the enthusiasm, I think cries about Maven
> security being broken and the use of the repository being
> irresponsible are IMHO greatly exaggerated. Having automatic signature
> checking in Maven would be nice, but it's not a bit enough itch that
> I'd personally want to scratch that and IMHO certainly not serious
> enough that I'd for example consider not using the Maven repository in
> projects I'm involved with.
>
> BR,
>
> Jukka Zitting
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>



-- 
Davanum Srinivas :: http://davanum.wordpress.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message