@Hervé BOUTEMY <herve.bout...@free.fr> I'm fine with any *solution* to this issue which must enable user to use a 3.6.n, n > 3 to block http (and not https) repos by config. I proposed to backport the 3.8 solution (even if not satisfying for some) to avoid to break between 3.6 and 3.8 and later 4.x but while goal is reached I'm happy with any solution but have to admit I'm not sure which one you aim at with your last answer so please advice me :s.
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le ven. 2 avr. 2021 à 19:32, Hervé BOUTEMY <herve.bout...@free.fr> a écrit : > disagree: it is my last sentence on the question, no more time to loose > > non breaking by default is not fixing: fixing is breaking by default > > and of course, yes, a user can override default secure configuration to > allow > insecure exceptions or even global insecure: it's his responsibility > > > done with me > > Le vendredi 2 avril 2021, 19:01:49 CEST Romain Manni-Bucau a écrit : > > Le ven. 2 avr. 2021 à 18:39, Hervé BOUTEMY <herve.bout...@free.fr> a > écrit : > > > backporting MNG-7119, I understand that it fixes a (low severity) > security > > > issue > > > > > > backporting MNG-7116, MNG-7117 and MNG-7128 without MNG-7118 does not > > > backport > > > THE security fix = MNG-7118 block HTTP by default > > > > Nop, this is NOT a security fix for most build Hervé, it is only for > builds > > not customizing the global settings.xml. > > Concretely, it is 1-1 due to maven usage to have or not the default > > regarding the security fix (agree it is saner to have it by default) but > > for 3.6 branch breaking by default is not an opiotn, therefore enabling > to > > use it but not enabling it out of the box. > > > > > sorry, breaking by default is the security fix: if you don't want > breaking > > > by > > > default, you don't want the security fix > > > > Not sure I'm following the reasoning. > > What I said in the 3.6/3.8 thread was that we must enable the security > fix > > to be used in 3.6 branch, this is what does the PR. > > > > > Regards, > > > > > > Hervé > > > > > > Le vendredi 2 avril 2021, 09:20:37 CEST Romain Manni-Bucau a écrit : > > > > Hi all, > > > > > > > > As explained in another thread, I created > > > > https://github.com/apache/maven/pull/462 to backport the security > fix on > > > > 3.8 in 3.6.x. > > > > Anyone able to review it? > > > > Only change is that the default configuration is not there but it > can be > > > > enabled - idea is to document it instead of breaking by default. > > > > > > > > Romain Manni-Bucau > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > > <http://rmannibucau.wordpress.com> | Github < > > > > > > https://github.com/rmannibucau> > > > > > > > | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > > > > > > < > > > > > > > https://www.packtpub.com/application-development/java-ee-8-high-performanc > > > e > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
