Re: [VOTE] Maven Script Interpreter 1.4 and Maven Invoker Plugin 3.4.0
My +1 On Fri, 16 Dec 2022 at 17:31, Hervé Boutemy wrote: > > +1 > > Reproducible Builds ok: reference builds done on *nix > - maven-script-interpreter with JDK 19 > - maven-invoker-plugin with JDK 11 > > notice that for releases, I tend to prefer using a LTS JDK ah yes good catch and sorry for that. As jdk19 is the goal of this release, I did some testing etc,... and forgot to change back JAVA_HOME before release. But as we have a target m-compiler-p configured this shouldn’t be a problem. > > Regards, > > Hervé > > Le jeudi 15 décembre 2022, 04:29:47 CET Olivier Lamy a écrit : > > Hi, > > I'd like to release Maven Script Interpreter 1.4 and Maven Invoker Plugin > > 3.4.0 The main goal is to support jdk19. > > > > Maven Script Interpreter 1.4 release notes > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352358 > > eName=Text=12317922=Create > > > > Staged repo: https://repository.apache.org/content/repositories/maven-1836/ > > sources: > > https://repository.apache.org/content/repositories/maven-1836/org/apache/ma > > ven/shared/maven-script-interpreter/1.4/maven-script-interpreter-1.4-source- > > release.zip > > > > sources sha512 > > https://repository.apache.org/content/repositories/maven-1836/org/apache/ma > > ven/shared/maven-script-interpreter/1.4/maven-script-interpreter-1.4-source- > > release.zip.sha512 > > > > staged site: > > https://maven.apache.org/shared-archives/maven-script-interpreter-LATEST/ > > > > Maven Invoker Plugin 3.4.0 Release notes > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12317525 > > rsion=12330828 > > > > staged repo: https://repository.apache.org/content/repositories/maven-1837/ > > sources > > https://repository.apache.org/content/repositories/maven-1837/org/apache/ma > > ven/plugins/maven-invoker-plugin/3.4.0/maven-invoker-plugin-3.4.0-source-rel > > ease.zip sources sha512 > > https://repository.apache.org/content/repositories/maven-1837/org/apache/ma > > ven/plugins/maven-invoker-plugin/3.4.0/maven-invoker-plugin-3.4.0-source-rel > > ease.zip.sha512 > > > > vote open for 72H (countdown https://s.apache.org/m64qv ) > > +1 > > 0 > > -1 > > > > cheers > > Olivier > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: How secure is invoking a single mojo?
Howdy, just an interesting fact: if we remain in "java realm", kinda are afraid of "arbitrary Java code execution", I'd convert the plugin to Takari Incremental plugin https://github.com/takari/io.takari.incrementalbuild Its runtime "cages" the Mojos and allows them to read from and write to only controlled locations... https://github.com/takari/io.takari.incrementalbuild/tree/master/takari-builder-enforcer Sadly, it uses SecurityManager to achieve this, which has been deprecated in the latest Java versions... T On Fri, Dec 16, 2022 at 10:33 PM Elliotte Rusty Harold wrote: > On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal wrote: > > > > Hello, > > > > Just a question I'd like to confirm with you guys: How "safe" is to run > > `dependency:tree` on a given arbitrary pom? > > > > All that should do is load various XML files from possibly remote > servers and parse them, so it's about as safe as doing that. It > shouldn't trigger the running of any code not already in the maven > dependency plugin and its dependencies. And that is all Java. If you > could find a way to trigger bad behavior by feeding an arbitrary byte > stream into the XML parser in the JDK or the maven-dependency-plugin > and its dependencies, then there could be an issue. I'd guess that it > might be possible to crash or hang Maven by sending sufficiently ugly > malformed XML down the pipe. I'd be surprised if you could get as far > as executing arbitrary code. That would probably require finding a > serious JDK bug. It's possible there is such a bug waiting to be > discovered, but I don't know of any. > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: How secure is invoking a single mojo?
On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal wrote: > > Hello, > > Just a question I'd like to confirm with you guys: How "safe" is to run > `dependency:tree` on a given arbitrary pom? > All that should do is load various XML files from possibly remote servers and parse them, so it's about as safe as doing that. It shouldn't trigger the running of any code not already in the maven dependency plugin and its dependencies. And that is all Java. If you could find a way to trigger bad behavior by feeding an arbitrary byte stream into the XML parser in the JDK or the maven-dependency-plugin and its dependencies, then there could be an issue. I'd guess that it might be possible to crash or hang Maven by sending sufficiently ugly malformed XML down the pipe. I'd be surprised if you could get as far as executing arbitrary code. That would probably require finding a serious JDK bug. It's possible there is such a bug waiting to be discovered, but I don't know of any. -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: How secure is invoking a single mojo?
You can write a simple app, using resolver. There are demo that perform fully functional things, for example https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java Hth T On Fri, Dec 16, 2022, 22:12 Aldrin Leal wrote: > Thanks Michael, indeed this can be better worded What about? > > How to programatically list a poms dependencies (incl transitive) without > the risk of running untrusted/unauthorized code? > > -- > -- Aldrin Leal, / https://aldrinleal.link > > > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov > wrote: > > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal: > > > Hello, > > > > > > Just a question I'd like to confirm with you guys: How "safe" is to run > > > `dependency:tree` on a given arbitrary pom? > > > > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe" > > code? > > > > > > And how would you do this in (listing all the required runtime jar > files > > > for a given project) the most secure way if you were given this task? > > > > Safety and security are two different things. What are you striving for? > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > >
Re: How secure is invoking a single mojo?
Thanks Michael, indeed this can be better worded What about? How to programatically list a poms dependencies (incl transitive) without the risk of running untrusted/unauthorized code? -- -- Aldrin Leal, / https://aldrinleal.link On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov wrote: > Am 2022-12-16 um 18:02 schrieb Aldrin Leal: > > Hello, > > > > Just a question I'd like to confirm with you guys: How "safe" is to run > > `dependency:tree` on a given arbitrary pom? > > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe" > code? > > > > And how would you do this in (listing all the required runtime jar files > > for a given project) the most secure way if you were given this task? > > Safety and security are two different things. What are you striving for? > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: How secure is invoking a single mojo?
Am 2022-12-16 um 18:02 schrieb Aldrin Leal: Hello, Just a question I'd like to confirm with you guys: How "safe" is to run `dependency:tree` on a given arbitrary pom? I mean, whats the likelihood of that pom.xml triggering some "unsafe" code? And how would you do this in (listing all the required runtime jar files for a given project) the most secure way if you were given this task? Safety and security are two different things. What are you striving for? - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
How secure is invoking a single mojo?
Hello, Just a question I'd like to confirm with you guys: How "safe" is to run `dependency:tree` on a given arbitrary pom? I mean, whats the likelihood of that pom.xml triggering some "unsafe" code? And how would you do this in (listing all the required runtime jar files for a given project) the most secure way if you were given this task? Thank you -- -- Aldrin Leal, / https://aldrinleal.link
Re: [VOTE] Release Apache Maven Daemon 1.0.0-m1
+1 Le ven. 16 déc. 2022 à 14:48, Guillaume Nodet a écrit : > Le ven. 16 déc. 2022 à 14:30, Lasse Lindqvist > > a écrit : > > > The link > > > > > https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a > > returns 404. > > > > Fixed > > > > Is the plan that 1.x versions only run Maven 4? > > > > Yes. We may release a 0.9.x based on Maven 3.9.x but there's no definite > plans yet. > > > > > > pe 16. jouluk. 2022 klo 15.07 Guillaume Nodet (gno...@apache.org) > > kirjoitti: > > > > > I've staged a candidate release at > > > https://dist.apache.org/repos/dist/dev/maven/mvnd/1.0.0-m1/ > > > > > > Note that this release is based on the latest Maven 4.0.0-alpha-3. > > > The release notes are available at > > > > > > > > > > > > https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a > > > > > > Please review and vote ! > > > -- > > > > > > Guillaume Nodet > > > > > > > > -- > > Guillaume Nodet >
Re: [VOTE] Release Apache Maven Daemon 1.0.0-m1
Le ven. 16 déc. 2022 à 14:30, Lasse Lindqvist a écrit : > The link > > https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a > returns 404. > Fixed > Is the plan that 1.x versions only run Maven 4? > Yes. We may release a 0.9.x based on Maven 3.9.x but there's no definite plans yet. > > pe 16. jouluk. 2022 klo 15.07 Guillaume Nodet (gno...@apache.org) > kirjoitti: > > > I've staged a candidate release at > > https://dist.apache.org/repos/dist/dev/maven/mvnd/1.0.0-m1/ > > > > Note that this release is based on the latest Maven 4.0.0-alpha-3. > > The release notes are available at > > > > > > > https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a > > > > Please review and vote ! > > -- > > > > Guillaume Nodet > > > -- Guillaume Nodet
Re: [VOTE] Release Apache Maven Daemon 1.0.0-m1
The link https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a returns 404. Is the plan that 1.x versions only run Maven 4? pe 16. jouluk. 2022 klo 15.07 Guillaume Nodet (gno...@apache.org) kirjoitti: > I've staged a candidate release at > https://dist.apache.org/repos/dist/dev/maven/mvnd/1.0.0-m1/ > > Note that this release is based on the latest Maven 4.0.0-alpha-3. > The release notes are available at > > > https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a > > Please review and vote ! > -- > > Guillaume Nodet >
[VOTE] Release Apache Maven Daemon 1.0.0-m1
I've staged a candidate release at https://dist.apache.org/repos/dist/dev/maven/mvnd/1.0.0-m1/ Note that this release is based on the latest Maven 4.0.0-alpha-3. The release notes are available at https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a Please review and vote ! -- Guillaume Nodet
[GitHub] [maven-shared-incremental] michael-o commented on a diff in pull request #18: store last compilation time
michael-o commented on code in PR #18: URL: https://github.com/apache/maven-shared-incremental/pull/18#discussion_r1050467545 ## src/main/java/org/apache/maven/shared/incremental/IncrementalBuildHelper.java: ## @@ -48,6 +52,13 @@ public static final String CREATED_FILES_LST_FILENAME = "createdFiles.lst"; private static final String INPUT_FILES_LST_FILENAME = "inputFiles.lst"; +private static final String INFO_FILENAME = "info.properties"; + +private static final String LAST_COMPILE_SUCCESS_TIMESTAMP = "lastCompile.success.timestamp"; + +private static final String LAST_TEST_COMPILE_SUCCESS_TIMESTAMP = "lastTestCompile.success.timestamp"; Review Comment: Unless you are going to have other keys under `success` one should rather use underscores or camelCase since dots denote a hierarchy. Similar: https://issues.apache.org/jira/browse/VELOCITY-909 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org