[jira] [Closed] (MNGSITE-299) Download security flaw
[ https://issues.apache.org/jira/browse/MNGSITE-299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Scholte closed MNGSITE-299. -- Resolution: Invalid Assignee: Robert Scholte You should ask the writer of the blog to update those links, nothing we can do about it. > Download security flaw > -- > > Key: MNGSITE-299 > URL: https://issues.apache.org/jira/browse/MNGSITE-299 > Project: Maven Project Web Site > Issue Type: Bug > Environment: any - raspberry pi in particular >Reporter: Warren MacEvoy >Assignee: Robert Scholte > > A quick search of how to install maven on a raspberry pi reveals the most > effective way is a direct install from a download from your site. I.e: > https://www.xianic.net/post/installing-maven-on-the-raspberry-pi/ > I assume many of these users are new developers. However the download link > on your site refers to an INSECURE download, > http://www.mirrorservice.org/sites/ftp.apache.org/maven/maven-3/3.2.5/binaries/apache-maven-3.3.9-bin.tar.gz > followed by the suggestion users should verify the download using md5 (!) or > gpg. > Ignoring the terrible idea of having md5 hashes, about four more steps later > gives the following most unsatisfying gpg result: > gpg --verify apache-maven-3.3.9-bin.tar.gz.asc apache-maven-3.3.9-bin.tar.gz > gpg: Signature made Tue 10 Nov 2015 16:44:20 UTC using DSA key ID BB617866 > gpg: Good signature from "Sarel Jason van Zyl " > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866 > So > 1. The CDN should ONLY ALLOW HTTPS. Maven is a core project and allowing for > simple injection at this level is irresponsible. > 2. Providing md5 checksums is irresponsible. How about sha256? This would > allow us to skip all the gpg run-around to vacuous conclusion. > 3. If gpg is the preferred route, then uploads should not be allowed that > does not give a more satisfying answer than "there is no indication the > signature belongs to the owner". I think this falls below the md5 sum bar. > Thank you for providing support to this important project. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SUREFIRE-1317) Refactoring
[ https://issues.apache.org/jira/browse/SUREFIRE-1317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15834320#comment-15834320 ] Hudson commented on SUREFIRE-1317: -- SUCCESS: Integrated in Jenkins build maven-surefire #1671 (See [https://builds.apache.org/job/maven-surefire/1671/]) Revert "[SUREFIRE-1317] - Refactoring" (stephen.alan.connolly: [http://git-wip-us.apache.org/repos/asf/?p=maven-surefire.git&a=commit&h=e36fe19ebd1e4db3ced9e853b4a60489a54e569c]) * (edit) surefire-api/src/main/java/org/apache/maven/surefire/report/SafeThrowable.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/runorder/StatisticsReporter.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/output/LostCommandsDumpSingleton.java * (edit) maven-surefire-common/src/test/java/org/apache/maven/plugin/surefire/report/DefaultReporterFactoryTest.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/AbstractSurefireMojo.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/ForkStarter.java * (edit) maven-surefire-report-plugin/src/test/java/org/apache/maven/plugins/surefire/report/Utils.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/DefaultReporterFactory.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/output/ForkClient.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/output/ThreadedStreamConsumer.java * (edit) maven-surefire-common/pom.xml * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/NullStatelessXmlReporter.java * (edit) surefire-api/src/main/java/org/apache/maven/surefire/booter/MasterProcessCommand.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/TestSetRunListener.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/StatelessXmlReporter.java * (edit) surefire-api/src/main/java/org/apache/maven/surefire/util/internal/StringUtils.java * (edit) surefire-api/src/main/java/org/apache/maven/surefire/report/CategorizedReportEntry.java * (edit) maven-surefire-common/src/test/java/org/apache/maven/plugin/surefire/report/StatelessXmlReporterTest.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/output/DeserializedStacktraceWriter.java * (edit) maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/StartupReportConfiguration.java > Refactoring > --- > > Key: SUREFIRE-1317 > URL: https://issues.apache.org/jira/browse/SUREFIRE-1317 > Project: Maven Surefire > Issue Type: Improvement > Components: Maven Failsafe Plugin, Maven Surefire Plugin, Maven > Surefire Report Plugin >Reporter: Tibor Digana >Assignee: Tibor Digana > Fix For: 2.19.2 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SUREFIRE-1324) Surefire incorrectly suppresses exceptions when closing resources.
[
https://issues.apache.org/jira/browse/SUREFIRE-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15834321#comment-15834321
]
Hudson commented on SUREFIRE-1324:
--
SUCCESS: Integrated in Jenkins build maven-surefire #1671 (See
[https://builds.apache.org/job/maven-surefire/1671/])
Revert "[MSUREFIRE-1324] Surefire incorrectly suppresses exceptions when
(stephen.alan.connolly:
[http://git-wip-us.apache.org/repos/asf/?p=maven-surefire.git&a=commit&h=0dbb5bb8a6522cc50a3609c353f0f7802946c0e2])
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/StatelessXmlReporter.java
Revert "[SUREFIRE-1324] Surefire incorrectly suppresses exceptions when
(stephen.alan.connolly:
[http://git-wip-us.apache.org/repos/asf/?p=maven-surefire.git&a=commit&h=1c9df460e2e7e7ddaee9c0fe4ca79fe895744577])
* (edit)
surefire-integration-tests/src/test/resources/test-helper-dump-pid-plugin/src/main/java/org/apache/maven/plugins/surefire/dumppid/DumpPidMojo.java
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/FileReporter.java
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/output/ThreadedStreamConsumer.java
* (edit)
surefire-api/src/main/java/org/apache/maven/surefire/booter/MasterProcessCommand.java
* (edit) surefire-api/pom.xml
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/ForkConfiguration.java
* (edit)
surefire-integration-tests/src/test/java/org/apache/maven/surefire/its/fixture/TestFile.java
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/runorder/StatisticsReporter.java
* (edit)
surefire-integration-tests/src/test/resources/testng-objectFactory/src/test/java/testng/objectfactory/FileHelper.java
* (edit)
surefire-integration-tests/src/test/resources/surefire-803-multiFailsafeExec-failureInFirst/src/test/java/org/apache/maven/surefire/test/FailingTest.java
* (edit)
surefire-api/src/main/java/org/apache/maven/plugin/surefire/runorder/RunEntryStatisticsMap.java
* (edit)
surefire-api/src/main/java/org/apache/maven/surefire/booter/ForkingRunListener.java
* (edit)
maven-surefire-common/src/test/java/org/apache/maven/surefire/report/FileReporterTest.java
* (edit)
surefire-booter/src/main/java/org/apache/maven/surefire/booter/SystemPropertyManager.java
* (edit)
surefire-integration-tests/src/test/resources/surefire-803-multiFailsafeExec-failureInFirst/src/test/java/org/apache/maven/surefire/test/SucceedingTest.java
* (edit)
surefire-booter/src/main/java/org/apache/maven/surefire/booter/ForkedBooter.java
* (edit)
surefire-integration-tests/src/test/resources/classpath-order/src/test/java/it/BasicTest.java
* (delete)
surefire-api/src/main/java/org/apache/maven/surefire/booter/DumpErrorSingleton.java
* (edit)
surefire-integration-tests/src/test/resources/testng-listener-reporter/src/test/java/listenReport/FileHelper.java
* (edit)
surefire-integration-tests/src/test/resources/junit4-runlistener/src/test/java/runListener/FileHelper.java
* (edit)
surefire-integration-tests/src/test/resources/testng-testRunnerFactory/src/test/java/testng/testrunnerfactory/FileHelper.java
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/booterclient/output/LostCommandsDumpSingleton.java
* (edit)
surefire-api/src/main/java/org/apache/maven/surefire/booter/CommandReader.java
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/report/ConsoleOutputFileReporter.java
* (edit)
maven-surefire-report-plugin/src/test/java/org/apache/maven/plugins/surefire/report/SurefireReportMojoTest.java
* (edit)
maven-surefire-common/src/main/java/org/apache/maven/plugin/surefire/SurefireProperties.java
> Surefire incorrectly suppresses exceptions when closing resources.
> --
>
> Key: SUREFIRE-1324
> URL: https://issues.apache.org/jira/browse/SUREFIRE-1324
> Project: Maven Surefire
> Issue Type: Bug
>Reporter: Christian Schulte
>Assignee: Tibor Digana
>Priority: Critical
> Fix For: 2.19.2
>
>
> There are various places where exceptions thrown when closing resources are
> suppressed although they should be handled. Additionally, the {{PrintStream}}
> class does not throw exceptions but provides a {{checkError}} method to be
> used instead. This method has not been used after writing to the
> {{PrintStream}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SUREFIRE-1322) Surefire and Failsafe should dump critical errors in dump file and console
[ https://issues.apache.org/jira/browse/SUREFIRE-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15834322#comment-15834322 ] Hudson commented on SUREFIRE-1322: -- SUCCESS: Integrated in Jenkins build maven-surefire #1671 (See [https://builds.apache.org/job/maven-surefire/1671/]) Revert "[SUREFIRE-1322] - Surefire and Failsafe should dump critical (stephen.alan.connolly: [http://git-wip-us.apache.org/repos/asf/?p=maven-surefire.git&a=commit&h=c12adb87547a56c54c22c86191d214dc9b79b2eb]) * (edit) surefire-api/src/main/java/org/apache/maven/surefire/booter/CommandReader.java > Surefire and Failsafe should dump critical errors in dump file and console > -- > > Key: SUREFIRE-1322 > URL: https://issues.apache.org/jira/browse/SUREFIRE-1322 > Project: Maven Surefire > Issue Type: Bug >Reporter: Tibor Digana >Assignee: Tibor Digana > Fix For: 2.19.2 > > > Both plugins, Surefire and Failsafe, dump stack trace and error messages and > lost commands in dump file or in console: > [date]-jvmRun[N].dump, > [date].dumpstream and > [date]-jvmRun[N].dumpstream > IN previous versions the plugins threw exceptions like, > MojoExecutionException and MojoFailureException, but the user could not see > any message of error which killed the plugin internally. > Since now this is possible and the user can see the dump files in target > target/failsafe-reports and target/surefire-reports. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (ARCHETYPE-514) Tests fail with empty repository and 'mvn verify'
Robert Scholte created ARCHETYPE-514:
Summary: Tests fail with empty repository and 'mvn verify'
Key: ARCHETYPE-514
URL: https://issues.apache.org/jira/browse/ARCHETYPE-514
Project: Maven Archetype
Issue Type: Improvement
Affects Versions: 2.4
Reporter: Robert Scholte
The Maven Archetype Testing Final assumes the maven-archetype-plugin is
available in the local repository. This makes it impossible to simply run {{mvn
verify}} with an empty repository.
And if {{mvn verify}} works, it is *not* using the plugin from the reactor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (ARCHETYPE-514) Tests fail with empty repository and 'mvn verify'
[
https://issues.apache.org/jira/browse/ARCHETYPE-514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Scholte updated ARCHETYPE-514:
-
Priority: Critical (was: Major)
> Tests fail with empty repository and 'mvn verify'
> -
>
> Key: ARCHETYPE-514
> URL: https://issues.apache.org/jira/browse/ARCHETYPE-514
> Project: Maven Archetype
> Issue Type: Improvement
>Affects Versions: 2.4
>Reporter: Robert Scholte
>Priority: Critical
>
> The Maven Archetype Testing Final assumes the maven-archetype-plugin is
> available in the local repository. This makes it impossible to simply run
> {{mvn verify}} with an empty repository.
> And if {{mvn verify}} works, it is *not* using the plugin from the reactor.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
