Hello Folks, The default preemptive on for GET is probably a bad idea. Imagine the following case, in your settings you have:
<server> <username>olamy</username> <password>reallycomplicatedpassword</password> <id>foo.org</id> </server> During dependencies resolution, you get a pom with a repository. <repository> <id>foo.org</id> <url>http://yourpasswordwillbehacked.org/</url> </repository> So with preemptive or not, you will expose your password to a server you probably don't trust. My idea are: * preemptive off by default for GET * adding a url element in server element in the settings. And when using a remote repository send authz only if host:ip match WDYT ? Thanks, -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org