Re: Next Maven prerequisite for Maven Plugins

Mon, 13 Oct 2014 11:37:58 -0700 

Anders,

this is the only change for 3.0.5: http://maven.apache.org/security.html
bottom line: certificates are not checked.
It's a serious security issue and for that reason I'd prefer 3.0.5 over 3.0.4 

thanks,
Robert


Op Mon, 13 Oct 2014 07:48:11 +0200 schreef Anders Hammar  
<[email protected]>:



Personally I have a problem with a Maven 3.0.5 requirement. The reason is
that there are IDEs out there that is based on Maven 3.0.4. Also, IIRC

there was just a very minor (code wise) difference between Maven 3.0.5  
and

3.0.4, so requiring 3.0.5 (instead of 3.0.4) wouldn't give us much.
Having said that, I'm in favor of moving to a Maven 3.0 requirement. And
making that a 3.0.4 requirement is fine with me.

/Anders

On Sun, Oct 12, 2014 at 3:25 PM, Karl Heinz Marbaise <[email protected]>
wrote:


Hi Robert,

from my point of view minimum to 3.0.5 ...nothing below...afterwards

3.1.1.....and then 3.2.1...the latest releases from the appropriate  
release

lines 3.0.X, 3.1.X, 3.2.X,....


I wouldn't go to 3.1.0 at the moment cause that could be  
confusing....from

user point of view...than there is a gap...

2.2.1
3.1.1

From my side...

Kind regards
Karl Heinz Marbaise

> Hi,



Right now we change the Maven prerequisite to 2.2.1 and I noticed some
new issues which already want to move it forward to 3.0.4. I wonder why
to move to this version.

Most (API-)changes have been introduced with the 3.0 alpha and beta
releases. I don't think that the other 3.0.x releases provide that much
more changes.
So I would say that changing the required Maven version would be 3.0.
*If* we want to force users not to use 3.0.4 due to the CVE-2013-0253,
we should say that 3.0.5 is the next required version of Maven.
And I could go one step further: if we want to get rid of the
compatibility overhead for Aether (Sonatype versus Eclipse) we should
change it to 3.1.0

So I'd prefer to move forward to 3.0, maybe even to 3.1.0, but not to
3.0.4 unless there are better reasons then I mentioned above.

Any other opinions?

thanks,
Robert



Kind regards
Karl Heinz Marbaise


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to