On Tue, Mar 20, 2012 at 5:07 PM, Olivier Lamy <[email protected]> wrote: > 2012/3/20 Brian Fox <[email protected]>: >> On Tue, Mar 20, 2012 at 12:58 PM, Olivier Lamy <[email protected]> wrote: >> >>> Hello Folks, >>> >>> The default preemptive on for GET is probably a bad idea. >>> Imagine the following case, in your settings you have: >>> >>> <server> >>> <username>olamy</username> >>> <password>reallycomplicatedpassword</password> >>> <id>foo.org</id> >>> </server> >>> >>> During dependencies resolution, you get a pom with a repository. >>> >>> <repository> >>> <id>foo.org</id> >>> <url>http://yourpasswordwillbehacked.org/</url> >>> </repository> >>> >>> So with preemptive or not, you will expose your password to a server >>> you probably don't trust. >>> >>> My idea are: >>> * preemptive off by default for GET >> >> >> +1000 >> >>> >>> * adding a url element in server element in the settings. And when >>> using a remote repository send authz only if host:ip match >>> >> >> I'm concerned about compatibility with previous maven versions if we >> do this as it's very common to share settings across different >> versions (think m2 cli + m2e with embedded m3) > Agree too. BTW at least at the beginning will be a [WARN] >>
Are you saying that all previous versions of maven just warn on new elements in the settings.xml, or are you going to go back and magically make them warn now? ;-) > why not even if not self documented by xml element names :-) > See above. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
