Re: [VOTE] Maven Apache Parent 28 - Maven Shared Resources 5 - Maven Parent 38

I've uploaded the documentation sites. Le mer. 16 nov. 2022 à 10:07, Slawomir Jaranowski a écrit : > Please also update documentation sites: > > https://maven.apache.org/pom-archives/asf-LATEST/ > https://maven.apache.org/pom-archives/maven-LATEST/ > https://maven.apache.org/shared-archives/mave

[GitHub] [maven-project-utils] JLLeitschuh commented on pull request #5: Unimportant drive-by robot submission

JLLeitschuh commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321480137 > Would automated emails with patch files attached be preferred? I reiterate this question. Is this what the ASF process would prefer? > This is not Apache commons,

Re: .well-known/security.txt at maven.apache.org

Oh missed the publication! Then +1 to link to asf security page. Romain Manni-Bucau @rmannibucau | Blog | Old Blog | Github | LinkedIn

Re: .well-known/security.txt at maven.apache.org

It is not a draft: https://datatracker.ietf.org/doc/html/rfc9116 Source: https://securitytxt.org Yes, I know apache.org has their own page, and I would not add any contradicting information. In fact, there's a policy field taking an URL which should point to the apache.org policy (https://www.apa

Re: .well-known/security.txt at maven.apache.org

Hi, AFAIK it is still a draft which can not go anywhere (or go elsewhere like .security/ for some exposure reason since .well-known already has adoption and rules) and I didn't see it much adopted yet. However at apache we have kind of standards for that so isn't it too early to adopt it? Romain

.well-known/security.txt at maven.apache.org

Hi! Due to the recent GH activities (eg [1]), it came to my attention that there is no file ".well-known/security.txt" on maven.apache.org. We really should adopt it! For some more information, please refer to [2]. WDYT? - Ben [1]: https://github.com/apache/maven-project-utils/pull/5 [2]: http

[GitHub] [maven-project-utils] bmarwell commented on pull request #5: Unimportant drive-by robot submission

bmarwell commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321198865 > > I finally had to add a gh-robots.txt file to most Commons repositories. > > If it is the will and decision of the Apache Commons PMC, I will of course respect this. >

[GitHub] [maven-project-utils] JLLeitschuh commented on pull request #5: Unimportant drive-by robot submission

JLLeitschuh commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321196913 > I finally had to add a gh-robots.txt file to most Commons repositories. If it is the will and decision of the Apache Commons PMC, I will of course respect this.

[GitHub] [maven-project-utils] michael-o commented on pull request #5: Unimportant drive-by robot submission

michael-o commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321180516 > So I ask again @JLLeitschuh - can you exclude Maven projects from your boot PR? > > Of course all proper PR with jira issue, reporting for ASF security team and other co

[GitHub] [maven-project-utils] slawekjaranowski commented on pull request #5: Unimportant drive-by robot submission

slawekjaranowski commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321179889 So I ask again @JLLeitschuh - can you exclude Maven projects from your boot PR? Of course all proper PR with jira issue, reporting for ASF security team and other

[GitHub] [maven-project-utils] garydgregory commented on pull request #5: Unimportant drive-by robot submission

garydgregory commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321165945 I asked this user to stop creating PRs against Apache Commons many times to no avail. Imagine having PRs against test code labeled "SECURITY" over and over... I finally had to

[GitHub] [maven-project-utils] JLLeitschuh commented on pull request #5: Unimportant drive-by robot submission

JLLeitschuh commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321164679 > I am very tired of having static analysis tools run on repos and filing bugs or PRs that have no understanding of context. This is exactly what I don't file bugs. They

[GitHub] [maven-project-utils] elharo closed pull request #5: Unimportant drive-by robot submission

elharo closed pull request #5: Unimportant drive-by robot submission URL: https://github.com/apache/maven-project-utils/pull/5 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. T

[GitHub] [maven-project-utils] elharo commented on pull request #5: Unimportant drive-by robot submission

elharo commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321159446 I am very tired of having static analysis tools run on repos and filing bugs or PRs that have no understanding of context. They rarely reveal real bugs, and mostly just waste develo

[GitHub] [maven-project-utils] JLLeitschuh commented on pull request #5: Unimportant drive-by robot submission

JLLeitschuh commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321156750 I've reviewed this vulnerability in example projects, yes... For this particular projects use case, no I have not. Doing so for over 1k projects by-hand is, unfortunately impra

[GitHub] [maven-project-utils] JLLeitschuh commented on pull request #5: Unimportant drive-by robot submission

JLLeitschuh commented on PR #5: URL: https://github.com/apache/maven-project-utils/pull/5#issuecomment-1321156727 I've reviewed this vulnerability in example projects, yes... For this particular projects use case, no I have not. Doing so for over 1k projects by-hand is, unfortunately impra

Re: Mojo injection with maven 4 (was Re: Maven 3 API, backwards compatibility)

Le dim. 20 nov. 2022 à 07:59, Christoph Läubrich a écrit : > This does not really answer the question. Extensions are made for > extending maven(-plugins) (either on the core or the project level) so > if plugins are only ever getting maven4-api available how will it be > possible then? > Hopefu