Roy T. Fielding wrote: > There is no reason for a separate repository. [A separate repo] does not > help protect "users" from incubator code, since users don't set the Maven > configs that define which repos to use and which modules are dependencies. > At best, what it does is add an irrelevant incubator layer on top of all Maven > repo requests that masks the "normal" repo path from developers, introduces > another way to inject insecure code, and wastes our bandwidth sending 404 > responses to automated build requests.
> the user never makes a decision regarding incubator code in the Maven repo. > The user is either going to pull the incubator release directly and then build it > using Maven with the provided pom, or some other project is going to make a > decision to add the artifact (with incubator in its name) as a dependency. The > Maven repo path is irrelevant to the user's decisions > Yes, it would be nice if Maven was more secure, properly checked signatures, > and properly delegated namespaces so that third-parties would be unable to > add artifacts within other org's trees. None of those issues are specific to incubator. I am forced to agree with Roy on these points. Until the Maven PMC stops abrogating its responsibility and addresses the issues, there does not appear to be anything that we can do about Maven's flaws short of banning use of the public Maven repositories entirely. Given that I consider promoting Maven's insecurre, uncontrolled, and unmanaged repositories to be at the height of irresponsibility, I would vote in favor of such a ban -- ASF-wide, not limited to the Incubator -- until Maven's flaws were addressed, but unfortunately, I doubt that there is a consensus to do so. At least not until there is an actual exploit in the wild, at which point the Maven PMC might finally open its eyes in panic. However, the Maven repository situation has little to do with the need for an Incubator. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]