maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Helck, Christopher" <che...@ebs.com>
Subject RE: Security question about remote repositories.
Date Wed, 29 Sep 2004 20:08:40 GMT
Ok, in no particular order, and most concerns are not necessarily
security:

1. I download and use a jar who does something evil besides its stated
purpose. For example suppose someone hacks a xerces implementation and I
build with it.

2. Two people down load the same named and versioned jar at different
times. But for some reason the jars are not the same (perhaps one was
quickly patched without a version change). One person's works, one
person's doesn't.

3. I download and use a jar which is no longer supported.

4. I download and use a jar who's license (which I don't read or
understand) makes my company liable for damages.

I guess most of these issues relate to how to use open source software
in a safe and responsible way. Anyway I'm trying to figure this stuff
out before someone at the management level raises difficult questions.

-c. helck


-----Original Message-----
From: Carlos Sanchez [mailto:apache@carlos.cousas.net] 
Sent: Wednesday, September 29, 2004 3:34 PM
To: 'Maven Users List'
Subject: RE: Security question about remote repositories.


Also I'd like to hear those concerns.

> -----Original Message-----
> From: Helck, Christopher [mailto:chelck@ebs.com]
> Sent: Wednesday, September 29, 2004 8:39 PM
> To: Maven Users List
> Subject: Security question about remote repositories.
> 
> 
> Maven makes it very easy to download and use jars off the
> web. I think this is good, but a security expert has raised 
> some concerns about it.
> Can anyone suggest a set of policies to use when determining 
> which packages to use and how/when to download them? I'm 
> thinking along the lines of creating a local repository 
> behind our firewall and only moving "approved" packages from 
> www.ibiblio.org/maven to it. Any suggests would be helpful.
> 
> Thanks,
> C. Helck
> 
> 
> The information contained in this e-mail is confidential.
> This e-mail is intended only for the stated addressee.  If 
> you are not an addressee, you must not disclose, copy, 
> circulate or in any other way use or rely on the information 
> contained in this e-mail. if you have received this e-mail in 
> error, please inform us immediately and delete it and all 
> copies from your system.
> 
> EBS Dealing Resources International Limited.  Registered
> address:  55-56 Lincoln's Inn Fields, London WC2A 3LJ, United 
> Kingdom. Registered number 2633663.
> 
> EBS Dealing Resources, Inc, registered in Delaware. Address:
> 535 Madison Avenue, 24th Floor, New York, NY 10022, USA, and 
> One upper Pond road, Building F - Floor 3, Parsippany, NJ 07054, USA.
> 
> EBS Dealing Resources Japan Limited, a Japanese Corporation.
> Address: Asteer Kayabacho Bldg, 6th Floor, 1-6-1, Shinkawa, 
> Chuo-Ku,  Tokyo 104-0033, Japan.
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org



The information contained in this e-mail is confidential. This e-mail is intended only for
the stated addressee.  If you are not an addressee, you must not disclose, copy, circulate
or in any other way use or rely on the information contained in this e-mail. if you have received
this e-mail in error, please inform us immediately and delete it and all copies from your
system.

EBS Dealing Resources International Limited.  Registered address:  55-56 Lincoln's Inn Fields,
London WC2A 3LJ, United Kingdom. Registered number 2633663.

EBS Dealing Resources, Inc, registered in Delaware. Address: 535 Madison Avenue, 24th Floor,
New York, NY 10022, USA, and One upper Pond road, Building F - Floor 3, Parsippany, NJ 07054,
USA.

EBS Dealing Resources Japan Limited, a Japanese Corporation. Address: Asteer Kayabacho Bldg,
6th Floor, 1-6-1, Shinkawa, Chuo-Ku,  Tokyo 104-0033, Japan.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org


Mime
View raw message