2012/3/20 Brian Fox <bri...@infinity.nu>: > On Tue, Mar 20, 2012 at 12:58 PM, Olivier Lamy <ol...@apache.org> wrote: > >> Hello Folks, >> >> The default preemptive on for GET is probably a bad idea. >> Imagine the following case, in your settings you have: >> >> <server> >> <username>olamy</username> >> <password>reallycomplicatedpassword</password> >> <id>foo.org</id> >> </server> >> >> During dependencies resolution, you get a pom with a repository. >> >> <repository> >> <id>foo.org</id> >> <url>http://yourpasswordwillbehacked.org/</url> >> </repository> >> >> So with preemptive or not, you will expose your password to a server >> you probably don't trust. >> >> My idea are: >> * preemptive off by default for GET > > > +1000 > >> >> * adding a url element in server element in the settings. And when >> using a remote repository send authz only if host:ip match >> > > I'm concerned about compatibility with previous maven versions if we > do this as it's very common to share settings across different > versions (think m2 cli + m2e with embedded m3) Agree too. BTW at least at the beginning will be a [WARN] > > But there is an issue here that needs to be solved. Perhaps instead of > a new element, we introduce a way such that the id can be a dns entry > and then we only use the credentials if the dns and id match. > > > ie > > <repository> > <id>foo.org</id> > <url>http://yourpasswordwillbehacked.org/</url> > </repository> > > won't send any credentials, even if asked via a 401 response whereas > > <repository> > <id>foo.org</id> > <url>http://therealthing.foo.org/repo1</url> > </repository>
why not even if not self documented by xml element names :-) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org