[
https://issues.apache.org/jira/browse/MNG-8471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17916072#comment-17916072
]
Tamas Cservenak commented on MNG-8471:
--------------------------------------
To recap, I'd not mix in at all here the "supply chain attack", as this is
"user downloading stuff from the net" (and running it), this happens out of
band, is totally different thing (and it exists since invention of browsers).
Again, FOSS and OSS sites _always asked users to verify binaries after
download_, if they run it "blindly", there is not much we can do it.
Maven does verifies downloaded stuff when it gets stuff from remote, and can
verify even SHA-512 (see https://github.com/cstamas/tc-demo), so again, you are
mixing things here. It is _very different_ from this case, where user downloads
something from the Internet.
> library load disallowed by system policy on Mac
> ------------------------------------------------
>
> Key: MNG-8471
> URL: https://issues.apache.org/jira/browse/MNG-8471
> Project: Maven
> Issue Type: Bug
> Affects Versions: 4.0.0-rc-2
> Reporter: Elliotte Rusty Harold
> Priority: Blocker
> Attachments: Screenshot 2024-12-25 at 6.10.01 PM.png
>
>
> On a Mac with Sequoia 15.1.1 running the binary 4.0-RC2 release to "mvn clean
> verify" the maven-compiler-plugin
> {code}
> WARNING: Failed to load native library:libjlinenative.jnilib. osinfo:
> Mac/arm64 (caused by: java.lang.UnsatisfiedLinkError:
> /opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib:
>
> dlopen(/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib,
> 0x0001): tried:
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (code signature in <E83722FF-713D-3654-A603-EEBC715887FE>
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> not valid for use in process: library load disallowed by system policy),
> '/System/Volumes/Preboot/Cryptexes/OS/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (no such file),
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (code signature in <E83722FF-713D-3654-A603-EEBC715887FE>
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> not valid for use in process: library load disallowed by system policy),
> enable debug logging for stacktrace)
> {code}
> The build still seems to complete normally.
> openjdk version "17.0.12" 2024-07-16
> OpenJDK Runtime Environment Homebrew (build 17.0.12+0)
> OpenJDK 64-Bit Server VM Homebrew (build 17.0.12+0, mixed mode, sharing)
> Further, this isn't just a warning on the console. The mac actually pops up
> two alert dialogs to warn about this problem that user must click away during
> the build.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
