[
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15544936#comment-15544936
]
ASF GitHub Bot commented on FLINK-4732:
---------------------------------------
Github user uce commented on the issue:
https://github.com/apache/flink/pull/2586
Thanks! It's good to address this. I really liked the symbolic link, maybe
we can enable it again after this has been resolved by the Maven plugin.
+1 to merge this to `master` and `release-1.1` branches.
> Maven junction plugin security threat
> -------------------------------------
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
> Issue Type: Bug
> Components: Build System
> Reporter: Maximilian Michels
> Assignee: Maximilian Michels
> Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html
> to create a symbolic link to the build directory. On Windows, the plugin
> downloads an executable from the author's homepage which may be modified by
> an attacker. The plugin has not been updated since 2007 and the maintainer
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
