incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Wed, 09 Jul 2008 17:46:43 GMT
Noel J. Bergman wrote:
> Roy T. Fielding wrote:
>> There is no reason for a separate repository.  [A separate repo] does not
>> help protect "users" from incubator code, since users don't set the Maven
>> configs that define which repos to use and which modules are dependencies.
>>  At best, what it does is add an irrelevant incubator layer on top of all
> Maven
>> repo requests that masks the "normal" repo path from developers,
> introduces
>> another way to inject insecure code, and wastes our bandwidth sending 404
>> responses to automated build requests.
>> the user never makes a decision regarding incubator code in the Maven
> repo.
>> The user is either going to pull the incubator release directly and then
> build it
>> using Maven with the provided pom, or some other project is going to make
> a
>> decision to add the artifact (with incubator in its name) as a dependency.
> The
>> Maven repo path is irrelevant to the user's decisions
>> Yes, it would be nice if Maven was more secure, properly checked
> signatures,
>> and properly delegated namespaces so that third-parties would be unable to
>> add artifacts within other org's trees.  None of those issues are specific
> to incubator.
> I am forced to agree with Roy on these points.  Until the Maven PMC stops
> abrogating its responsibility and addresses the issues, there does not
> appear to be anything that we can do about Maven's flaws short of banning
> use of the public Maven repositories entirely.


If this was how debian ran packages or freebsd managed the ports 
collection, there would of already been an exploit incident.

We are running on borrowed time, and I don't understand why the PMC 
continues to promote features with a completely broken security model.

> Given that I consider promoting Maven's insecurre, uncontrolled, and
> unmanaged repositories to be at the height of irresponsibility, I would vote
> in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
> Maven's flaws were addressed, but unfortunately, I doubt that there is a
> consensus to do so.  At least not until there is an actual exploit in the
> wild, at which point the Maven PMC might finally open its eyes in panic.

I'm not involved in Maven at all, I can understand a project skimping on 
more complicated security issues early on -- but at this point Maven 
seems like a well established project that isn't just an experiment -- 
people will be using it in mass for years to come.  For the security 
infrastructure to be completely missing, to me, is completely unacceptable.

> However, the Maven repository situation has little to do with the need for
> an Incubator.

I agree :-)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message