On Wed, 30 Jun 2004, Leo Simons <[EMAIL PROTECTED]> wrote: > Ah, right. I have this idea where we build up our own private jar > repository (currently ~/.ant-basic-profile and > ~/.maven-basic-profile) that contains the trusted, released versions > of the libraries.
Uhm, not ideal but it seems I'll have to live with it. > Stefan Bodewig wrote: > >> What security threat am I missing? > > For example, imagine I was the author of a weird library that some > weird commons code depended on...it is entirely possible to write a > task in an ant build.xml file that recompiles a class in tomcat and > opens a back door. That might take a while to notice." I see. Even easier than that, a simple <copy> would do. Thanks! Where do we go from here? Do I give you a list and a shell script to play with or should I set something (non-cron'ed) up on brutus so you can have a look at it? Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]