[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15544936#comment-15544936 ]
ASF GitHub Bot commented on FLINK-4732: --------------------------------------- Github user uce commented on the issue: https://github.com/apache/flink/pull/2586 Thanks! It's good to address this. I really liked the symbolic link, maybe we can enable it again after this has been resolved by the Maven plugin. +1 to merge this to `master` and `release-1.1` branches. > Maven junction plugin security threat > ------------------------------------- > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System > Reporter: Maximilian Michels > Assignee: Maximilian Michels > Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)