james-mime4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <robertburrelldon...@gmail.com>
Subject Re: mime4j 0.6 preview packages
Date Sun, 15 Feb 2009 16:50:30 GMT
On Sun, Feb 15, 2009 at 4:43 PM, Robert Burrell Donkin
<robertburrelldonkin@gmail.com> wrote:
> On Sun, Feb 15, 2009 at 3:55 PM, Stefano Bagnara <apache@bago.org> wrote:
>> Oleg Kalnichevski ha scritto:
>>> Markus Wiederkehr wrote:
>>>> On Mon, Feb 9, 2009 at 7:53 PM, Oleg Kalnichevski <olegk@apache.org>
>
> <snip>
>
>>>> Is maven version 2.0.6 still sufficient?
>>>> And for me "mvn package" always did the job; no -U, no -Plocal..
>>>>
>>>
>>> Neither option is required. I guess -Plocal can come handy when building
>>> packages while off-line.
>>
>> -Plocal has been introduced as a *compromise* by me 2 years ago, after
>> working weeks (if not months) trying to satisfy really strict security
>> requirements from other PMC members. They was rejecting the use of maven
>> to make releases if this meant to use remote repositories because of
>> security concerns.
>
> i never really understood the detail behind these concerns
>
> maven uses lots of dependencies, many of which it downloads. so, the
> direct way to infect a release would be by compromising the build tool
> itself (maven). compromising a released jar through a malware compile
> time dependency sounds like something which would require a lot of
> skill.
>
> if maven isn't secure enough then it should be used at all
                                                            ^^^^^^^^
                                                            shouldn't be

- robert

Mime
View raw message