On Tue, Mar 20, 2012 at 6:28 PM, Olivier Lamy <ol...@apache.org> wrote: > 2012/3/20 Brian Fox <bri...@infinity.nu>: >> On Tue, Mar 20, 2012 at 5:07 PM, Olivier Lamy <ol...@apache.org> wrote: >>> 2012/3/20 Brian Fox <bri...@infinity.nu>: >>>> On Tue, Mar 20, 2012 at 12:58 PM, Olivier Lamy <ol...@apache.org> wrote: >>>> >>>>> Hello Folks, >>>>> >>>>> The default preemptive on for GET is probably a bad idea. >>>>> Imagine the following case, in your settings you have: >>>>> >>>>> <server> >>>>> <username>olamy</username> >>>>> <password>reallycomplicatedpassword</password> >>>>> <id>foo.org</id> >>>>> </server> >>>>> >>>>> During dependencies resolution, you get a pom with a repository. >>>>> >>>>> <repository> >>>>> <id>foo.org</id> >>>>> <url>http://yourpasswordwillbehacked.org/</url> >>>>> </repository> >>>>> >>>>> So with preemptive or not, you will expose your password to a server >>>>> you probably don't trust. >>>>> >>>>> My idea are: >>>>> * preemptive off by default for GET >>>> >>>> >>>> +1000 >>>> >>>>> >>>>> * adding a url element in server element in the settings. And when >>>>> using a remote repository send authz only if host:ip match >>>>> >>>> >>>> I'm concerned about compatibility with previous maven versions if we >>>> do this as it's very common to share settings across different >>>> versions (think m2 cli + m2e with embedded m3) >>> Agree too. BTW at least at the beginning will be a [WARN] >>>> >> >> Are you saying that all previous versions of maven just warn on new >> elements in the settings.xml, or are you going to go back and >> magically make them warn now? ;-) > no :-) > > BTW do we consider adding a warning in 3.0.5 if id != host and fail in 3.0.6 > or fail directly in 3.0.5
I would start with a warning. It will take time to change poms and settings and it's not a new concern (ie unrelated to pre-emptive auth). In fact, this kind of change might make sense to call 3.1 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org