On Mon, 2008-07-07 at 17:06 -0700, Roy T. Fielding wrote: > Yes, it would be nice if Maven was more secure, properly checked > signatures, and properly delegated namespaces so that third-parties > would be unable to add artifacts within other org's trees. None of > those issues are specific to incubator.
In the light of these reports: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html http://www.heise.de/newsticker/Bericht-Paket-Management-Systeme-unter-Linux-nur-bedingt-vertrauenswuerdig--/meldung/110908/ the question on attacks on the maven repository is probably no longer "how" but only "when". These are attacks on Linux repositories, which might be larger and more distributed than the maven repos, but the jackpot of cracking *the* central Java artifact distribution center would probably be bigger than getting a few thousand Linux systems to run a repo delivered backdoor. This is definitely an issue that needs resolving sooner than later. Ciao Henning --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
