incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <c...@force-elite.com>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Wed, 09 Jul 2008 18:03:07 GMT
Noel J. Bergman wrote:
> Roy T. Fielding wrote:
> 
>> There is no reason for a separate repository.  [A separate repo] does not
>> help protect "users" from incubator code, since users don't set the Maven
>> configs that define which repos to use and which modules are dependencies.
>>  At best, what it does is add an irrelevant incubator layer on top of all
> Maven
>> repo requests that masks the "normal" repo path from developers,
> introduces
>> another way to inject insecure code, and wastes our bandwidth sending 404
>> responses to automated build requests.
> 
>> the user never makes a decision regarding incubator code in the Maven
> repo.
>> The user is either going to pull the incubator release directly and then
> build it
>> using Maven with the provided pom, or some other project is going to make
> a
>> decision to add the artifact (with incubator in its name) as a dependency.
> The
>> Maven repo path is irrelevant to the user's decisions
> 
>> Yes, it would be nice if Maven was more secure, properly checked
> signatures,
>> and properly delegated namespaces so that third-parties would be unable to
>> add artifacts within other org's trees.  None of those issues are specific
> to incubator.
> 
> I am forced to agree with Roy on these points.  Until the Maven PMC stops
> abrogating its responsibility and addresses the issues, there does not
> appear to be anything that we can do about Maven's flaws short of banning
> use of the public Maven repositories entirely.


+1.

If this was how debian ran packages or freebsd managed the ports
collection, there would of already been an exploit incident.

We are running on borrowed time, and I don't understand why the PMC
continues to promote features with a completely broken security model.

> Given that I consider promoting Maven's insecurre, uncontrolled, and
> unmanaged repositories to be at the height of irresponsibility, I would vote
> in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
> Maven's flaws were addressed, but unfortunately, I doubt that there is a
> consensus to do so.  At least not until there is an actual exploit in the
> wild, at which point the Maven PMC might finally open its eyes in panic.

I'm not involved in Maven at all, I can understand a project skimping on
more complicated security issues early on -- but at this point Maven
seems like a well established project that isn't just an experiment --
people will be using it in mass for years to come.  For the security
infrastructure to be completely missing, to me, is completely 
unacceptable in an ASF Project.

> However, the Maven repository situation has little to do with the need for
> an Incubator.

I agree :-)

-Paul




---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message