I think there are a couple of issues here: - To me this shouldn't be done with a PR, but as a set of cherry-picks to keep to original commit history and references. - Branch 3.6.x contains commits that are unrelated to the 3.8.x branch - I still don't see the need for this backport. I really doubt that people would pick the possible 3.6.4 over 3.8.1 if they want to protect themselves and do the configuration themselves. As you keep pushing for such a release, please let the community comment (including why they need it and why using 3.8.1 is not an option) on MNG-7134[1] first.
Robert [1] https://issues.apache.org/jira/browse/MNG-7134 On 2-4-2021 09:21:04, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: Hi all, As explained in another thread, I created https://github.com/apache/maven/pull/462 to backport the security fix on 3.8 in 3.6.x. Anyone able to review it? Only change is that the default configuration is not there but it can be enabled - idea is to document it instead of breaking by default. Romain Manni-Bucau @rmannibucau | Blog | Old Blog | Github | LinkedIn | Book
