Jukka, fwiw. My objection(s) had nothing to do with security.
thanks, dims On Wed, Jul 9, 2008 at 6:25 PM, Jukka Zitting <[EMAIL PROTECTED]> wrote: > Hi, > > On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <[EMAIL PROTECTED]> wrote: >> Noel J. Bergman wrote: >>> [...] Until the Maven PMC stops abrogating its responsibility and addresses >>> the issues, there does not appear to be anything that we can do about >>> Maven's flaws short of banning use of the public Maven repositories >>> entirely. >> >> +1. >> >> If this was how debian ran packages or freebsd managed the ports collection, >> there would of already been an exploit incident. >> >> We are running on borrowed time, and I don't understand why the PMC >> continues to promote features with a completely broken security model. > > Frankly I don't see what's so "completely broken" about the Maven > repository. Lack of automatic signature checking? > > For comparison: CPAN has been available for well over a decade and it > has had signature checking for less than three years now. And the > feature is still optional, disabled by default. > > Another comparison: Apache releases come with digital signatures, but > it's up to the users to manually verify them. Download statistics > indicate that the vast majority of users never even look at the > signatures. As it stands, signature checking is optional and disabled > by default. > > So, while I do appreciate the enthusiasm, I think cries about Maven > security being broken and the use of the repository being > irresponsible are IMHO greatly exaggerated. Having automatic signature > checking in Maven would be nice, but it's not a bit enough itch that > I'd personally want to scratch that and IMHO certainly not serious > enough that I'd for example consider not using the Maven repository in > projects I'm involved with. > > BR, > > Jukka Zitting > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Davanum Srinivas :: http://davanum.wordpress.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
