Noel J. Bergman wrote:
If and when the ASF decides to host our own Maven repository wherein we can
ensure that for all time we have ALL necessary artfifacts to build all
historical versions, I'll be happy to revisit whether we should maintain the
artifacts in SVN.
Can we live for a while with a pom.xml that generates our site and
reports using untrusted libraries?
I will take the risk to run the maven tasks so if it will download
something unexpected no one will care about this.
I agree about the security issues raised by Noel but I would like to
avoid requiring from maven things that we never required from ant.
FWIW maven team is already moving in the right direction:
http://docs.codehaus.org/display/MAVEN/Repository+Security+Improvements
The proposal seems to be good but unfortunately it seems that someone
have to integrate already existing code and implement missing parts, so
no ETA for this.
Btw I'd like to have a simple roadmap:
1) now we keep the "unsafe" maven stuff to build server website
2) when we'll be ready to move server to maven2 for build and packaging
we will review what directory project did and the status of that new
security features in maven and will decide wether:
3a) create a maven repository for third party dependencies under
james website or under an svn subfolder of the james repository.
3b) use the new features and skip the creation of our repository
3c) use a third-party repository that ASF created in the mean time.
I believe that 2 won't happen before the end of the year so we could
wait and look out from the window in the mean time.
Is this ok?
Stefano
