[
https://issues.apache.org/jira/browse/MNG-8471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17916090#comment-17916090
]
Elliotte Rusty Harold commented on MNG-8471:
--------------------------------------------
If my browser or anything else I run on my local laptop is compromised, it's
game over. Verifying signatures won't help me. For an attacker in that
position, they have far more effective attacks than modifying some download
from Apache. Signature verification only helps with 2 things:
# Installs from unofficial sources (and then only if the signature comes from
the official site)
# Man in the middle attacks
#2 should be completely alleviated by https, and if somehow it's not then it's
trivial for the MITM who compromises the download to also compromise my
signature.
Free does not mean free as in beer.
I don't know that the ASL is incompatible with the Apple Developer Program. I'm
told GPL is, but Apache might not be. I would check though.
> library load disallowed by system policy on Mac
> ------------------------------------------------
>
> Key: MNG-8471
> URL: https://issues.apache.org/jira/browse/MNG-8471
> Project: Maven
> Issue Type: Bug
> Affects Versions: 4.0.0-rc-2
> Reporter: Elliotte Rusty Harold
> Priority: Blocker
> Attachments: Screenshot 2024-12-25 at 6.10.01 PM.png
>
>
> On a Mac with Sequoia 15.1.1 running the binary 4.0-RC2 release to "mvn clean
> verify" the maven-compiler-plugin
> {code}
> WARNING: Failed to load native library:libjlinenative.jnilib. osinfo:
> Mac/arm64 (caused by: java.lang.UnsatisfiedLinkError:
> /opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib:
>
> dlopen(/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib,
> 0x0001): tried:
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (code signature in <E83722FF-713D-3654-A603-EEBC715887FE>
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> not valid for use in process: library load disallowed by system policy),
> '/System/Volumes/Preboot/Cryptexes/OS/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (no such file),
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> (code signature in <E83722FF-713D-3654-A603-EEBC715887FE>
> '/opt/java/apache-maven-4.0.0-rc-2/lib/jline-native/Mac/arm64/libjlinenative.jnilib'
> not valid for use in process: library load disallowed by system policy),
> enable debug logging for stacktrace)
> {code}
> The build still seems to complete normally.
> openjdk version "17.0.12" 2024-07-16
> OpenJDK Runtime Environment Homebrew (build 17.0.12+0)
> OpenJDK 64-Bit Server VM Homebrew (build 17.0.12+0, mixed mode, sharing)
> Further, this isn't just a warning on the console. The mac actually pops up
> two alert dialogs to warn about this problem that user must click away during
> the build.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
