Michal Maczka wrote:
I second Michal's opinion that we should not put any more plugins into maven repository, and that some of the existing one should move away onto another CVS repo on maven.apache.org or even to the repos of their associated software projects.
I haven't had the time to review the code at all, but this is where security policies and the like should come into play.
The core plugins distributed with Maven could one security policy, fairly liberal because they've been vetted by developers. These plugins would handle the primary build mechanisms and one or more facilities to download other plugins.
Anything they download - including other plugins - will default to more restrictive policies. E.g., perhaps no downloaded plugin can download any other plugin, but it can download other files at the same site.
Individual sites can override the security policy, of course. But as I've mentioned before unrestricted downloads and execution of unknown code makes me nervous.
As a side note - is there a log of what's downloaded (or uploaded!) anywhere, e.g., perhaps through an instrumented java.net package?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
