Le ven. 2 avr. 2021 à 18:39, Hervé BOUTEMY <herve.bout...@free.fr> a écrit :
> backporting MNG-7119, I understand that it fixes a (low severity) security > issue > > backporting MNG-7116, MNG-7117 and MNG-7128 without MNG-7118 does not > backport > THE security fix = MNG-7118 block HTTP by default > Nop, this is NOT a security fix for most build Hervé, it is only for builds not customizing the global settings.xml. Concretely, it is 1-1 due to maven usage to have or not the default regarding the security fix (agree it is saner to have it by default) but for 3.6 branch breaking by default is not an opiotn, therefore enabling to use it but not enabling it out of the box. > > sorry, breaking by default is the security fix: if you don't want breaking > by > default, you don't want the security fix > Not sure I'm following the reasoning. What I said in the 3.6/3.8 thread was that we must enable the security fix to be used in 3.6 branch, this is what does the PR. > > Regards, > > Hervé > > Le vendredi 2 avril 2021, 09:20:37 CEST Romain Manni-Bucau a écrit : > > Hi all, > > > > As explained in another thread, I created > > https://github.com/apache/maven/pull/462 to backport the security fix on > > 3.8 in 3.6.x. > > Anyone able to review it? > > Only change is that the default configuration is not there but it can be > > enabled - idea is to document it instead of breaking by default. > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://rmannibucau.metawerx.net/> | Old Blog > > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> > > | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > < > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
