Ant Security

[conor]

I see a lot of discussion in the antlib/ant2 threads about automatic 
download of required jars. To me this raises some security concerns. It 
would be quite simple for this mechanism to be abused to load 
unauthorized code onto a user's machine. Already, today, the ability to 
<get> and <exec> exists. The addition of proxy capability will only make 
this easier.

I've started to address this in Mutant with a simple policy file. I did 
reorganize the directory structure to make it more convenient for 
specifying the policy permissions.

Anyway, I though it was worth raising the issue now for discussion 
especially as the concept of an Ant1 antlib is again on the agenda.\

Thoughts?
Conor
--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>