Hello Folks,
The default preemptive on for GET is probably a bad idea.
Imagine the following case, in your settings you have:
<server>
<username>olamy</username>
<password>reallycomplicatedpassword</password>
<id>foo.org</id>
</server>
During dependencies resolution, you get a pom with a repository.
<repository>
<id>foo.org</id>
<url>http://yourpasswordwillbehacked.org/</url>
</repository>
So with preemptive or not, you will expose your password to a server
you probably don't trust.
My idea are:
* preemptive off by default for GET
* adding a url element in server element in the settings. And when
using a remote repository send authz only if host:ip match
WDYT ?
Thanks,
--
Olivier Lamy
Talend: http://coders.talend.com
http://twitter.com/olamy | http://linkedin.com/in/olamy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
