[
https://issues.apache.org/jira/browse/MNG-8471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17916051#comment-17916051
]
Elliotte Rusty Harold commented on MNG-8471:
--------------------------------------------
I don't think we can write this off as an OS issue or blame Mac users. In fact
I think Apple is correct here. Accepting the unsigned binary is a security
issue, and in 2025 we need to take that seriously. Supply chain attacks are
real. We used to allow Maven downloads over unecrypted http and we no longer
do. This is much the same.
I agree it's not necessarily our responsibility to fix JLine, but I do still
think that is this isn't fix we should simply rip out that dependency. Fixing
this bug is more important.
> library load disallowed by system policy on Mac
> ------------------------------------------------
>
> Key: MNG-8471
> URL: https://issues.apache.org/jira/browse/MNG-8471
> Project: Maven
> Issue Type: Bug
> Affects Versions: 4.0.0-rc-2
> Reporter: Elliotte Rusty Harold
> Priority: Blocker
> Attachments: Screenshot 2024-12-25 at 6.10.01 PM.png
>
>
> On a Mac with Sequoia 15.1.1 running the binary 4.0-RC2 release to "mvn clean
> verify" the maven-compiler-plugin
> {code}
> WARNING: Failed to load native library:libjlinenative.jnilib. osinfo:
> Mac/arm64 (caused by: java.lang.UnsatisfiedLinkError:
> /opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib:
>
> dlopen(/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib,
> 0x0001): tried:
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (code signature in <E83722FF-713D-3654-A603-EEBC715887FE>
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> not valid for use in process: library load disallowed by system policy),
> '/System/Volumes/Preboot/Cryptexes/OS/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (no such file),
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (code signature in <E83722FF-713D-3654-A603-EEBC715887FE>
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> not valid for use in process: library load disallowed by system policy),
> enable debug logging for stacktrace)
> {code}
> The build still seems to complete normally.
> openjdk version "17.0.12" 2024-07-16
> OpenJDK Runtime Environment Homebrew (build 17.0.12+0)
> OpenJDK 64-Bit Server VM Homebrew (build 17.0.12+0, mixed mode, sharing)
> Further, this isn't just a warning on the console. The mac actually pops up
> two alert dialogs to warn about this problem that user must click away during
> the build.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
