Jukka Zitting wrote:
Hi,
On Wed, Jul 9, 2008 at 8:46 PM, Paul Querna <[EMAIL PROTECTED]> wrote:
Noel J. Bergman wrote:
[...] Until the Maven PMC stops abrogating its responsibility and addresses
the issues, there does not appear to be anything that we can do about
Maven's flaws short of banning use of the public Maven repositories entirely.
+1.
If this was how debian ran packages or freebsd managed the ports collection,
there would of already been an exploit incident.
We are running on borrowed time, and I don't understand why the PMC
continues to promote features with a completely broken security model.
Frankly I don't see what's so "completely broken" about the Maven
repository. Lack of automatic signature checking?
For comparison: CPAN has been available for well over a decade and it
has had signature checking for less than three years now. And the
feature is still optional, disabled by default.
However, AFAIK, CPAN doesn't allow every CPAN author to overwrite the
files of every other CPAN author. Thats the situation we are in now
with the Maven Repository, because we just use the filesystem on
people.apache.org as the pristine copy.
To me there are two main flaws with how we manage the repository today:
1) No Authenticated Modifications to the Repository.
2) No Automated Signature Checking Enabled by Default.
To address #1, we are looking at using a Subversion repository, instead
of the file system on people.apache.org.
By using a subversion repository, all modifications of the repo could be
tracked via email and revision histories, and the mirrors ran by infra
would just be exported copies.
So, while I do appreciate the enthusiasm, I think cries about Maven
security being broken and the use of the repository being
irresponsible are IMHO greatly exaggerated. Having automatic signature
checking in Maven would be nice, but it's not a bit enough itch that
I'd personally want to scratch that and IMHO certainly not serious
enough that I'd for example consider not using the Maven repository in
projects I'm involved with.
You are saying you trust all 1600+ shell accounts on people.apache.org?
That not one of them is hacked, or will be hacked at some point?
Thats not a risk I believe we should expose ourselves to. Moving to a
subversion based repository would be a first good step, adding real
signature checking should also be done, but I can live with just getting
the repository moved off a central machine.
-Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
