Re: How secure is invoking a single mojo?

2022-12-28 Thread Aldrin Leal
Tamas,

Thanks for your idea. If I wanted to resolve from reading a pom file from
scratch, where you'd point me at (thinking MavenXpp3Reader and friends
perhaps?).

--
-- Aldrin Leal,  / https://aldrinleal.link


On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák  wrote:

> You can write a simple app, using resolver. There are demo that perform
> fully functional things, for example
>
>
> https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java
>
> Hth
> T
>
> On Fri, Dec 16, 2022, 22:12 Aldrin Leal  wrote:
>
> > Thanks Michael, indeed this can be better worded What about?
> >
> > How to programatically list a poms dependencies (incl transitive) without
> > the risk of running untrusted/unauthorized code?
> >
> > --
> > -- Aldrin Leal,  / https://aldrinleal.link
> >
> >
> > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov 
> > wrote:
> >
> > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> > > > Hello,
> > > >
> > > > Just a question I'd like to confirm with you guys: How "safe" is to
> run
> > > > `dependency:tree` on a given arbitrary pom?
> > > >
> > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe"
> > > code?
> > > >
> > > > And how would you do this in (listing all the required runtime jar
> > files
> > > > for a given project) the most secure way if you were given this task?
> > >
> > > Safety and security are two different things. What are you striving
> for?
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > > For additional commands, e-mail: dev-h...@maven.apache.org
> > >
> > >
> >
>


Re: [VOTE] Release Apache Maven version 3.8.7

2022-12-28 Thread Arnaud Héritier
+1

On Sat, Dec 24, 2022 at 9:20 PM Michael Osipov  wrote:

> Hi,
>
> We solved 19 issues:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690
>
> There are still hundreds of issues left in JIRA:
>
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved
>
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1839/
>
> Dev dist directory:
> https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/
>
> Source release checksums:
> apache-maven-3.8.7-src.zip sha512:
>
> 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891
> apache-maven-3.8.7-src.tar.gz sha512:
>
> 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb
>
> Binary release checksums:
> apache-maven-3.8.7-bin.zip sha512:
>
> c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd
> apache-maven-3.8.7-bin.tar.gz sha512:
>
> 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27
>
> Draft for release notes:
> https://github.com/apache/maven-site/pull/356
>
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open until 2022-12-30T20:00Z
>
> [ ] +1
> [ ] +0
> [ ] -1
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>

-- 
Arnaud Héritier
Twitter/GitHub/... : aheritier


Re: [VOTE] Release Apache Maven version 3.8.7

2022-12-28 Thread Tamás Cservenák
+1

On Sat, Dec 24, 2022 at 9:20 PM Michael Osipov  wrote:

> Hi,
>
> We solved 19 issues:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690
>
> There are still hundreds of issues left in JIRA:
>
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved
>
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1839/
>
> Dev dist directory:
> https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/
>
> Source release checksums:
> apache-maven-3.8.7-src.zip sha512:
>
> 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891
> apache-maven-3.8.7-src.tar.gz sha512:
>
> 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb
>
> Binary release checksums:
> apache-maven-3.8.7-bin.zip sha512:
>
> c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd
> apache-maven-3.8.7-bin.tar.gz sha512:
>
> 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27
>
> Draft for release notes:
> https://github.com/apache/maven-site/pull/356
>
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open until 2022-12-30T20:00Z
>
> [ ] +1
> [ ] +0
> [ ] -1
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>