I'm sure users will end up becoming more confused: "hey but I have version x of library y but ant downloaded version z and it doesn't work any more". Or "I'm building a project at home and although I have junit.jar but Ant suddenly decided to download it again from the site over my slow connection". And automatic start of updates without the user approving it is bad imho.
Imho a better solution is: define in antlib's deployment descriptor files which jars the task depends upon and show an error message if that jar is not found. That's exactly what we're doing in XDoclet 1.2. So if you use webdoclet but javax.servlet is missing we show an error message according to the <class-dependency/> of the module.xml descriptor file. Ara. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 09, 2002 4:55 PM > To: Ant Developers List > Subject: Ant Security > > I see a lot of discussion in the antlib/ant2 threads about automatic > download of required jars. To me this raises some security concerns. It > would be quite simple for this mechanism to be abused to load > unauthorized code onto a user's machine. Already, today, the ability to > <get> and <exec> exists. The addition of proxy capability will only make > this easier. > > I've started to address this in Mutant with a simple policy file. I did > reorganize the directory structure to make it more convenient for > specifying the policy permissions. > > Anyway, I though it was worth raising the issue now for discussion > especially as the concept of an Ant1 antlib is again on the agenda.\ > > Thoughts? > > Conor > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
