Hi Jim,
It's no surprise that Maven chomps at the bit quite a bit regarding
ASF policies, but values the "Apache brand" enough to tow the
line.
Did you mean Maven as "Maven repo deployed @Apache" or "Maven the
PMC"? As Noel was talking specifically about the PMC. We can certainly
ban Maven repo use until better security, etc. is implemented, but I
don't think ASF policies apply to the architecture decisions (good or
bad) and development direction of any given project.
Andrus
On Jul 11, 2008, at 4:23 PM, Jim Jagielski wrote:
On Jul 9, 2008, at 12:16 PM, Noel J. Bergman wrote:
I am forced to agree with Roy on these points. Until the Maven PMC
stops
abrogating its responsibility and addresses the issues, there does
not
appear to be anything that we can do about Maven's flaws short of
banning
use of the public Maven repositories entirely.
Given that I consider promoting Maven's insecurre, uncontrolled, and
unmanaged repositories to be at the height of irresponsibility, I
would vote
in favor of such a ban -- ASF-wide, not limited to the Incubator --
until
Maven's flaws were addressed, but unfortunately, I doubt that there
is a
consensus to do so. At least not until there is an actual exploit
in the
wild, at which point the Maven PMC might finally open its eyes in
panic.
And I am forced to agree as well... To be honest, I still at times
question exactly the "relationship" between the ASF and Maven is.
It's no surprise that Maven chomps at the bit quite a bit regarding
ASF policies, but values the "Apache brand" enough to tow the
line. But IMO it is time for the ASF to see how this is increasing
the risk and potential for trouble with the whole foundation.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
