Re: How secure is invoking a single mojo?
Tamas, Thanks for your idea. If I wanted to resolve from reading a pom file from scratch, where you'd point me at (thinking MavenXpp3Reader and friends perhaps?). -- -- Aldrin Leal, / https://aldrinleal.link On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák wrote: > You can write a simple app, using resolver. There are demo that perform > fully functional things, for example > > > https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java > > Hth > T > > On Fri, Dec 16, 2022, 22:12 Aldrin Leal wrote: > > > Thanks Michael, indeed this can be better worded What about? > > > > How to programatically list a poms dependencies (incl transitive) without > > the risk of running untrusted/unauthorized code? > > > > -- > > -- Aldrin Leal, / https://aldrinleal.link > > > > > > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov > > wrote: > > > > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal: > > > > Hello, > > > > > > > > Just a question I'd like to confirm with you guys: How "safe" is to > run > > > > `dependency:tree` on a given arbitrary pom? > > > > > > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe" > > > code? > > > > > > > > And how would you do this in (listing all the required runtime jar > > files > > > > for a given project) the most secure way if you were given this task? > > > > > > Safety and security are two different things. What are you striving > for? > > > > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > >
Re: [VOTE] Release Apache Maven version 3.8.7
+1 On Sat, Dec 24, 2022 at 9:20 PM Michael Osipov wrote: > Hi, > > We solved 19 issues: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690 > > There are still hundreds of issues left in JIRA: > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved > > Staging repo: > https://repository.apache.org/content/repositories/maven-1839/ > > Dev dist directory: > https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/ > > Source release checksums: > apache-maven-3.8.7-src.zip sha512: > > 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891 > apache-maven-3.8.7-src.tar.gz sha512: > > 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb > > Binary release checksums: > apache-maven-3.8.7-bin.zip sha512: > > c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd > apache-maven-3.8.7-bin.tar.gz sha512: > > 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27 > > Draft for release notes: > https://github.com/apache/maven-site/pull/356 > > Guide to testing staged releases: > http://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open until 2022-12-30T20:00Z > > [ ] +1 > [ ] +0 > [ ] -1 > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > > -- Arnaud Héritier Twitter/GitHub/... : aheritier
Re: [VOTE] Release Apache Maven version 3.8.7
+1 On Sat, Dec 24, 2022 at 9:20 PM Michael Osipov wrote: > Hi, > > We solved 19 issues: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690 > > There are still hundreds of issues left in JIRA: > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved > > Staging repo: > https://repository.apache.org/content/repositories/maven-1839/ > > Dev dist directory: > https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/ > > Source release checksums: > apache-maven-3.8.7-src.zip sha512: > > 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891 > apache-maven-3.8.7-src.tar.gz sha512: > > 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb > > Binary release checksums: > apache-maven-3.8.7-bin.zip sha512: > > c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd > apache-maven-3.8.7-bin.tar.gz sha512: > > 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27 > > Draft for release notes: > https://github.com/apache/maven-site/pull/356 > > Guide to testing staged releases: > http://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open until 2022-12-30T20:00Z > > [ ] +1 > [ ] +0 > [ ] -1 > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >