james-mime4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <robertburrelldon...@gmail.com>
Subject Re: mime4j 0.6 preview packages
Date Sun, 15 Feb 2009 16:43:11 GMT
On Sun, Feb 15, 2009 at 3:55 PM, Stefano Bagnara <apache@bago.org> wrote:
> Oleg Kalnichevski ha scritto:
>> Markus Wiederkehr wrote:
>>> On Mon, Feb 9, 2009 at 7:53 PM, Oleg Kalnichevski <olegk@apache.org>

<snip>

>>> Is maven version 2.0.6 still sufficient?
>>> And for me "mvn package" always did the job; no -U, no -Plocal..
>>>
>>
>> Neither option is required. I guess -Plocal can come handy when building
>> packages while off-line.
>
> -Plocal has been introduced as a *compromise* by me 2 years ago, after
> working weeks (if not months) trying to satisfy really strict security
> requirements from other PMC members. They was rejecting the use of maven
> to make releases if this meant to use remote repositories because of
> security concerns.

i never really understood the detail behind these concerns

maven uses lots of dependencies, many of which it downloads. so, the
direct way to infect a release would be by compromising the build tool
itself (maven). compromising a released jar through a malware compile
time dependency sounds like something which would require a lot of
skill.

if maven isn't secure enough then it should be used at all

> Even if I understand and share the security issues and the
> reproducibility issues with m2, I always thought that the whole issue
> was a big waste of time for me and for the JAMES project. THE solution
> for maven and this issue is to setup our own repository with a
> repository manager. Unfortunately it seems there is no will to setup
> this kind of 3rd party repository inside the ASF.

the conclusion i reached is that this wouldn't be good enough anyway.
what would be required is a hardened version of maven.

> The whole thing had already found inconsistency when we decided that we
> was not entitled shipping poms for jars that we ship in the stage folder
> (expecially wrt javamail stuff).

licensing issues make it hard to use stage effective

- robert

Mime
View raw message