Roy T. Fielding wrote:
> There is no reason for a separate repository. [A separate repo] does not
> help protect "users" from incubator code, since users don't set the Maven
> configs that define which repos to use and which modules are dependencies.
> At best, what it does is add an irrelevant incubator layer on top of all
Maven
> repo requests that masks the "normal" repo path from developers,
introduces
> another way to inject insecure code, and wastes our bandwidth sending 404
> responses to automated build requests.
> the user never makes a decision regarding incubator code in the Maven
repo.
> The user is either going to pull the incubator release directly and then
build it
> using Maven with the provided pom, or some other project is going to make
a
> decision to add the artifact (with incubator in its name) as a dependency.
The
> Maven repo path is irrelevant to the user's decisions
> Yes, it would be nice if Maven was more secure, properly checked
signatures,
> and properly delegated namespaces so that third-parties would be unable to
> add artifacts within other org's trees. None of those issues are specific
to incubator.
I am forced to agree with Roy on these points. Until the Maven PMC stops
abrogating its responsibility and addresses the issues, there does not
appear to be anything that we can do about Maven's flaws short of banning
use of the public Maven repositories entirely.
Given that I consider promoting Maven's insecurre, uncontrolled, and
unmanaged repositories to be at the height of irresponsibility, I would vote
in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
Maven's flaws were addressed, but unfortunately, I doubt that there is a
consensus to do so. At least not until there is an actual exploit in the
wild, at which point the Maven PMC might finally open its eyes in panic.
However, the Maven repository situation has little to do with the need for
an Incubator.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
