Hi, On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <[EMAIL PROTECTED]> wrote: > Noel J. Bergman wrote: >> [...] Until the Maven PMC stops abrogating its responsibility and addresses >> the issues, there does not appear to be anything that we can do about >> Maven's flaws short of banning use of the public Maven repositories entirely. > > +1. > > If this was how debian ran packages or freebsd managed the ports collection, > there would of already been an exploit incident. > > We are running on borrowed time, and I don't understand why the PMC > continues to promote features with a completely broken security model.
Frankly I don't see what's so "completely broken" about the Maven repository. Lack of automatic signature checking? For comparison: CPAN has been available for well over a decade and it has had signature checking for less than three years now. And the feature is still optional, disabled by default. Another comparison: Apache releases come with digital signatures, but it's up to the users to manually verify them. Download statistics indicate that the vast majority of users never even look at the signatures. As it stands, signature checking is optional and disabled by default. So, while I do appreciate the enthusiasm, I think cries about Maven security being broken and the use of the repository being irresponsible are IMHO greatly exaggerated. Having automatic signature checking in Maven would be nice, but it's not a bit enough itch that I'd personally want to scratch that and IMHO certainly not serious enough that I'd for example consider not using the Maven repository in projects I'm involved with. BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
