Noel J. Bergman wrote:
Roy T. Fielding wrote:
There is no reason for a separate repository. [A separate repo] does not
help protect "users" from incubator code, since users don't set the Maven
configs that define which repos to use and which modules are dependencies.
At best, what it does is add an irrelevant incubator layer on top of all
Maven
repo requests that masks the "normal" repo path from developers,
introduces
another way to inject insecure code, and wastes our bandwidth sending 404
responses to automated build requests.
the user never makes a decision regarding incubator code in the Maven
repo.
The user is either going to pull the incubator release directly and then
build it
using Maven with the provided pom, or some other project is going to make
a
decision to add the artifact (with incubator in its name) as a dependency.
The
Maven repo path is irrelevant to the user's decisions
Yes, it would be nice if Maven was more secure, properly checked
signatures,
and properly delegated namespaces so that third-parties would be unable to
add artifacts within other org's trees. None of those issues are specific
to incubator.
I am forced to agree with Roy on these points. Until the Maven PMC stops
abrogating its responsibility and addresses the issues, there does not
appear to be anything that we can do about Maven's flaws short of banning
use of the public Maven repositories entirely.
+1.
If this was how debian ran packages or freebsd managed the ports
collection, there would of already been an exploit incident.
We are running on borrowed time, and I don't understand why the PMC
continues to promote features with a completely broken security model.
Given that I consider promoting Maven's insecurre, uncontrolled, and
unmanaged repositories to be at the height of irresponsibility, I would vote
in favor of such a ban -- ASF-wide, not limited to the Incubator -- until
Maven's flaws were addressed, but unfortunately, I doubt that there is a
consensus to do so. At least not until there is an actual exploit in the
wild, at which point the Maven PMC might finally open its eyes in panic.
I'm not involved in Maven at all, I can understand a project skimping on
more complicated security issues early on -- but at this point Maven
seems like a well established project that isn't just an experiment --
people will be using it in mass for years to come. For the security
infrastructure to be completely missing, to me, is completely unacceptable.
However, the Maven repository situation has little to do with the need for
an Incubator.
I agree :-)
-Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
