incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting" <>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Wed, 09 Jul 2008 22:25:16 GMT

On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <> wrote:
> Noel J. Bergman wrote:
>> [...] Until the Maven PMC stops abrogating its responsibility and addresses
>> the issues, there does not appear to be anything that we can do about
>> Maven's flaws short of banning use of the public Maven repositories entirely.
> +1.
> If this was how debian ran packages or freebsd managed the ports collection,
> there would of already been an exploit incident.
> We are running on borrowed time, and I don't understand why the PMC
> continues to promote features with a completely broken security model.

Frankly I don't see what's so "completely broken" about the Maven
repository. Lack of automatic signature checking?

For comparison: CPAN has been available for well over a decade and it
has had signature checking for less than three years now. And the
feature is still optional, disabled by default.

Another comparison: Apache releases come with digital signatures, but
it's up to the users to manually verify them. Download statistics
indicate that the vast majority of users never even look at the
signatures. As it stands, signature checking is optional and disabled
by default.

So, while I do appreciate the enthusiasm, I think cries about Maven
security being broken and the use of the repository being
irresponsible are IMHO greatly exaggerated. Having automatic signature
checking in Maven would be nice, but it's not a bit enough itch that
I'd personally want to scratch that and IMHO certainly not serious
enough that I'd for example consider not using the Maven repository in
projects I'm involved with.


Jukka Zitting

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message