On Jul 9, 2008, at 12:16 PM, Noel J. Bergman wrote:
I am forced to agree with Roy on these points. Until the Maven PMC
stops
abrogating its responsibility and addresses the issues, there does not
appear to be anything that we can do about Maven's flaws short of
banning
use of the public Maven repositories entirely.
Given that I consider promoting Maven's insecurre, uncontrolled, and
unmanaged repositories to be at the height of irresponsibility, I
would vote
in favor of such a ban -- ASF-wide, not limited to the Incubator --
until
Maven's flaws were addressed, but unfortunately, I doubt that there
is a
consensus to do so. At least not until there is an actual exploit
in the
wild, at which point the Maven PMC might finally open its eyes in
panic.
And I am forced to agree as well... To be honest, I still at times
question exactly the "relationship" between the ASF and Maven is.
It's no surprise that Maven chomps at the bit quite a bit regarding
ASF policies, but values the "Apache brand" enough to tow the
line. But IMO it is time for the ASF to see how this is increasing
the risk and potential for trouble with the whole foundation.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
