The security concern here is nonsense, at best it's 'security by obscurity'.
However, there's a better reason to clean off the poms that happened to us. Our product poms use our internal parent POM, which encodes our chosen options for all the plugins we use at build time, and our infrastructure (e.g. Sonar). It makes no sense to distribute that POM, but without it, our poms don't work. So, our customers _asked us to remove our poms_ from the metadata, to make it _easier for them to push our jars to their repository manager_. The ideal solution would be for us to put 'clean' poms in the metadata that declared only dependencies and no parent. However, I am unaware of any way to get maven to automatically generate such things. Is anyone else? On Tue, Nov 19, 2013 at 5:57 AM, Adam Retter <adam.ret...@googlemail.com> wrote: > I would of thought it would be better practice to keep a clean > separation between your pom.xml and settings.xml where any sensitive > server information goes in your settings.xml > > However, if you are worried that someone knowing a URL to an internal > server is a security risk, then I would suggest you have bigger > problems with your security infrastructure. > > As a developer, it it fantastically useful to have the pom's available > even when working with closed (or non-open) source products. > > On 19 November 2013 02:16, Paul Benedict <pbened...@apache.org> wrote: >> My personal opinion for closed-source products is not to include the >> generated POM. If someone somehow stole your proprietary jar, the POM might >> help to find out where to steal the rest -- URL locations and custom >> properties, in particular. >> >> >> >> >> On Mon, Nov 18, 2013 at 7:46 PM, Tang Kin Chuen <kct...@big2.net> wrote: >> >>> Same here. >>> >>> Just wondering if it's common practice for close sourced products to remove >>> maven manifest info from jars... something we cannot search in open source >>> codes! :-) >>> >>> I am hoping to get an authoritative reference that says it's OK to leave it >>> there. >>> On Nov 19, 2013 9:40 AM, "Adam Retter" <adam.ret...@googlemail.com> wrote: >>> >>> > I would be interested to know what your peers perceive the security >>> > concerns as being? >>> > >>> > On 19 November 2013 01:22, Tang Kin Chuen <kct...@big2.net> wrote: >>> > > Hi guys, >>> > > >>> > > Are there any security concerns in leaving the default pom file(s) in >>> > > meta-inf of generated jars for "commercial products"? >>> > > >>> > > I find it useful to leave it there for troubleshooting purpose, >>> thinking >>> > > that there is not much security concerns but my peers are thinking >>> > > otherwise. >>> > > >>> > > I would like to seek some advise/opinions on this topic. >>> > > >>> > > Cheers! >>> > >>> > >>> > >>> > -- >>> > Adam Retter >>> > >>> > skype: adam.retter >>> > tweet: adamretter >>> > http://www.adamretter.org.uk >>> > >>> > --------------------------------------------------------------------- >>> > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>> > For additional commands, e-mail: users-h...@maven.apache.org >>> > >>> > >>> >> >> >> >> -- >> Cheers, >> Paul > > > > -- > Adam Retter > > skype: adam.retter > tweet: adamretter > http://www.adamretter.org.uk > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
