incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Sat, 12 Jul 2008 20:14:41 GMT
Jukka Zitting wrote:
> Hi,
> On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <> wrote:
>> Noel J. Bergman wrote:
>>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>>> the issues, there does not appear to be anything that we can do about
>>> Maven's flaws short of banning use of the public Maven repositories entirely.
>> +1.
>> If this was how debian ran packages or freebsd managed the ports collection,
>> there would of already been an exploit incident.
>> We are running on borrowed time, and I don't understand why the PMC
>> continues to promote features with a completely broken security model.
> Frankly I don't see what's so "completely broken" about the Maven
> repository. Lack of automatic signature checking?
> For comparison: CPAN has been available for well over a decade and it
> has had signature checking for less than three years now. And the
> feature is still optional, disabled by default.

However, AFAIK, CPAN doesn't allow every CPAN author to overwrite the 
files of every other CPAN author.  Thats the situation we are in now 
with the Maven Repository, because we just use the filesystem on as the pristine copy.

To me there are two main flaws with how we manage the repository today:

1) No Authenticated Modifications to the Repository.
2) No Automated Signature Checking Enabled by Default.

To address #1, we are looking at using a Subversion repository, instead 
of the file system on

By using a subversion repository, all modifications of the repo could be 
tracked via email and revision histories, and the mirrors ran by infra 
would just be exported copies.

> So, while I do appreciate the enthusiasm, I think cries about Maven
> security being broken and the use of the repository being
> irresponsible are IMHO greatly exaggerated. Having automatic signature
> checking in Maven would be nice, but it's not a bit enough itch that
> I'd personally want to scratch that and IMHO certainly not serious
> enough that I'd for example consider not using the Maven repository in
> projects I'm involved with.

You are saying you trust all 1600+ shell accounts on

That not one of them is hacked, or will be hacked at some point?

Thats not a risk I believe we should expose ourselves to.  Moving to a 
subversion based repository would be a first good step, adding real 
signature checking should also be done, but I can live with just getting 
the repository moved off a central machine.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message