point seems to say that 1) above is
>>> the best/only method. But clearly, 2) is also another method. Of
>>> course, 3) above is also yet another method for fetching Maven
>>> dependencies.
>>>
>> Your company can also run its own maven repo server (such as Nexus),
>> that can hold both your company's internal maven artifacts and proxy
>> to external maven repos like maven central. Then when you need a 3rd
>> party artifact that is not in maven central, you can simply load it
>> once to this repo and none of your developers need to do anything.
>
--
Jim Manico
Manicode Security
https://www.manicode.com
That's true Scott. Xerces is a big player in the XML parsing world. I'm just a
security activist trying to encourage important libraries like Xerces to use
safe defaults when they can. And for XXE, for sure, there is precedent to turn
it off by default since it's so dangerous.
efaults in software when you
can.
Note: IBM has a very expensive product •just• to handle this issue - which
would be largely unnecessary if Xerces defaulted to turning external entities
off by default.
With respect,
--
Jim Manico
@Manicode
(808) 652-3805
> On Mar 4, 2015, at 8:2
How can I help? I'm happy to submit a patch if you like... This is a fairly
critical security issue and I'm willing to get my hands dirty and help
code? wash your car? free trips to Hawaii? What do need?
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
> On Mar 4, 2015, at 9:
of this. Turning it off by default would make the world a safer place.
Respectfully,
--
Jim Manico
@Manicode
(808) 652-3805
> On Mar 4, 2015, at 8:56 AM, Michael Glavassevich wrote:
>
> Hi,
>
> There has been some work done on the trunk [1] to make it easier for users
> to
rious risk to be left on
by default.
Has there been any discussion on this before? Forgive me if I am late to the
game here.
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
-
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apach
