2012/3/20 Brian Fox <[email protected]>: > On Tue, Mar 20, 2012 at 5:07 PM, Olivier Lamy <[email protected]> wrote: >> 2012/3/20 Brian Fox <[email protected]>: >>> On Tue, Mar 20, 2012 at 12:58 PM, Olivier Lamy <[email protected]> wrote: >>> >>>> Hello Folks, >>>> >>>> The default preemptive on for GET is probably a bad idea. >>>> Imagine the following case, in your settings you have: >>>> >>>> <server> >>>> <username>olamy</username> >>>> <password>reallycomplicatedpassword</password> >>>> <id>foo.org</id> >>>> </server> >>>> >>>> During dependencies resolution, you get a pom with a repository. >>>> >>>> <repository> >>>> <id>foo.org</id> >>>> <url>http://yourpasswordwillbehacked.org/</url> >>>> </repository> >>>> >>>> So with preemptive or not, you will expose your password to a server >>>> you probably don't trust. >>>> >>>> My idea are: >>>> * preemptive off by default for GET >>> >>> >>> +1000 >>> >>>> >>>> * adding a url element in server element in the settings. And when >>>> using a remote repository send authz only if host:ip match >>>> >>> >>> I'm concerned about compatibility with previous maven versions if we >>> do this as it's very common to share settings across different >>> versions (think m2 cli + m2e with embedded m3) >> Agree too. BTW at least at the beginning will be a [WARN] >>> > > Are you saying that all previous versions of maven just warn on new > elements in the settings.xml, or are you going to go back and > magically make them warn now? ;-) no :-)
BTW do we consider adding a warning in 3.0.5 if id != host and fail in 3.0.6 or fail directly in 3.0.5 > >> why not even if not self documented by xml element names :-) >> > > See above. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
