incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Davanum Srinivas" <>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Wed, 09 Jul 2008 23:42:23 GMT

fwiw. My objection(s) had nothing to do with security.


On Wed, Jul 9, 2008 at 6:25 PM, Jukka Zitting <> wrote:
> Hi,
> On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <> wrote:
>> Noel J. Bergman wrote:
>>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>>> the issues, there does not appear to be anything that we can do about
>>> Maven's flaws short of banning use of the public Maven repositories entirely.
>> +1.
>> If this was how debian ran packages or freebsd managed the ports collection,
>> there would of already been an exploit incident.
>> We are running on borrowed time, and I don't understand why the PMC
>> continues to promote features with a completely broken security model.
> Frankly I don't see what's so "completely broken" about the Maven
> repository. Lack of automatic signature checking?
> For comparison: CPAN has been available for well over a decade and it
> has had signature checking for less than three years now. And the
> feature is still optional, disabled by default.
> Another comparison: Apache releases come with digital signatures, but
> it's up to the users to manually verify them. Download statistics
> indicate that the vast majority of users never even look at the
> signatures. As it stands, signature checking is optional and disabled
> by default.
> So, while I do appreciate the enthusiasm, I think cries about Maven
> security being broken and the use of the repository being
> irresponsible are IMHO greatly exaggerated. Having automatic signature
> checking in Maven would be nice, but it's not a bit enough itch that
> I'd personally want to scratch that and IMHO certainly not serious
> enough that I'd for example consider not using the Maven repository in
> projects I'm involved with.
> BR,
> Jukka Zitting
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Davanum Srinivas ::

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message