disagree: it is my last sentence on the question, no more time to loose non breaking by default is not fixing: fixing is breaking by default
and of course, yes, a user can override default secure configuration to allow insecure exceptions or even global insecure: it's his responsibility done with me Le vendredi 2 avril 2021, 19:01:49 CEST Romain Manni-Bucau a écrit : > Le ven. 2 avr. 2021 à 18:39, Hervé BOUTEMY <herve.bout...@free.fr> a écrit : > > backporting MNG-7119, I understand that it fixes a (low severity) security > > issue > > > > backporting MNG-7116, MNG-7117 and MNG-7128 without MNG-7118 does not > > backport > > THE security fix = MNG-7118 block HTTP by default > > Nop, this is NOT a security fix for most build Hervé, it is only for builds > not customizing the global settings.xml. > Concretely, it is 1-1 due to maven usage to have or not the default > regarding the security fix (agree it is saner to have it by default) but > for 3.6 branch breaking by default is not an opiotn, therefore enabling to > use it but not enabling it out of the box. > > > sorry, breaking by default is the security fix: if you don't want breaking > > by > > default, you don't want the security fix > > Not sure I'm following the reasoning. > What I said in the 3.6/3.8 thread was that we must enable the security fix > to be used in 3.6 branch, this is what does the PR. > > > Regards, > > > > Hervé > > > > Le vendredi 2 avril 2021, 09:20:37 CEST Romain Manni-Bucau a écrit : > > > Hi all, > > > > > > As explained in another thread, I created > > > https://github.com/apache/maven/pull/462 to backport the security fix on > > > 3.8 in 3.6.x. > > > Anyone able to review it? > > > Only change is that the default configuration is not there but it can be > > > enabled - idea is to document it instead of breaking by default. > > > > > > Romain Manni-Bucau > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > <http://rmannibucau.wordpress.com> | Github < > > > > https://github.com/rmannibucau> > > > > > | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > > > > < > > > > https://www.packtpub.com/application-development/java-ee-8-high-performanc > > e > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
