Repos defined in plugin are used to download dependencies
---------------------------------------------------------
Key: MNG-3384
URL: http://jira.codehaus.org/browse/MNG-3384
Project: Maven 2
Issue Type: Bug
Components: Artifacts and Repositories, Plugins and Lifecycle
Affects Versions: 2.0.8
Reporter: Stefan Seidel
When a plugin defines a repository, the dependencies declared to and by this
plugin are being resolved within these repositories. While this might be
easier, it introduces a number of problems, including the fact that it cannot
be controlled which repos are being used, security concerns (internal artifact
names might be sent to a remote repository, a malicious plugin could define a
fake repo with malicious "more recent" versions of almost anything).
If there is no intention to change the current behaviour, there should be at
least an option to disable it.
More unspecifically, I think the situation got worse in 2.1-SNAPSHOT (I use the
m2eclipse plugin), because I see lookups of SNAPSHOT versions of dependencies
occur much more often than with 2.0.8.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
