On Mon, Jan 7, 2019 at 11:00 AM Alex Harui <aha...@adobe.com.invalid> wrote:
> Hi Mike, > > Thanks for the input. IMO, that exploit would be easily seen. Indeed, but setting readability of the example aside: In the context of your question, no - it's not sufficient to verify that only pom.xml was modified. A change to pom.xml may well introduce something malicious and the nature of the changes needs to be reviewed, ideally by someone who would spot such things. The release plugin should only be changing one-liners with version > numbers. Can you think of one-liner attacks? Off the top of my head, a change in plugin/dependency could cause the build to inherit a vulnerability from elsewhere, but I don't think we need to go that far here. Changes to code can't be trusted without human review. - Mike
