On Sun, Feb 15, 2009 at 3:55 PM, Stefano Bagnara <[email protected]> wrote: > Oleg Kalnichevski ha scritto: >> Markus Wiederkehr wrote: >>> On Mon, Feb 9, 2009 at 7:53 PM, Oleg Kalnichevski <[email protected]>
<snip> >>> Is maven version 2.0.6 still sufficient? >>> And for me "mvn package" always did the job; no -U, no -Plocal.. >>> >> >> Neither option is required. I guess -Plocal can come handy when building >> packages while off-line. > > -Plocal has been introduced as a *compromise* by me 2 years ago, after > working weeks (if not months) trying to satisfy really strict security > requirements from other PMC members. They was rejecting the use of maven > to make releases if this meant to use remote repositories because of > security concerns. i never really understood the detail behind these concerns maven uses lots of dependencies, many of which it downloads. so, the direct way to infect a release would be by compromising the build tool itself (maven). compromising a released jar through a malware compile time dependency sounds like something which would require a lot of skill. if maven isn't secure enough then it should be used at all > Even if I understand and share the security issues and the > reproducibility issues with m2, I always thought that the whole issue > was a big waste of time for me and for the JAMES project. THE solution > for maven and this issue is to setup our own repository with a > repository manager. Unfortunately it seems there is no will to setup > this kind of 3rd party repository inside the ASF. the conclusion i reached is that this wouldn't be good enough anyway. what would be required is a hardened version of maven. > The whole thing had already found inconsistency when we decided that we > was not entitled shipping poms for jars that we ship in the stage folder > (expecially wrt javamail stuff). licensing issues make it hard to use stage effective - robert
