[ 
https://issues.apache.org/jira/browse/MJAR-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17957089#comment-17957089
 ] 

Matthias Bünger commented on MJAR-309:
--------------------------------------

This project has moved from Jira to GitHub Issues. This issue was migrated to 
[apache/maven-jar-plugin#196|https://github.com/apache/maven-jar-plugin/issues/196].
 Please visit the GitHub issue to view further activity, add comments, or 
subscribe to receive notifications.

> Modular Jar file permissions changed when fixing modification time
> ------------------------------------------------------------------
>
>                 Key: MJAR-309
>                 URL: https://issues.apache.org/jira/browse/MJAR-309
>             Project: Maven JAR Plugin (Moved to GitHub Issues)
>          Issue Type: Bug
>    Affects Versions: 3.4.1
>            Reporter: Laurent Goujon
>            Priority: Minor
>
> When a new modular jar file is generated with {{maven-jar-plugin}} with Java 
> 11, the final permissions of the file are restricted to the current user 
> instead of using the environment umask which usually allows for group and 
> other users to access the file as well.
> This is caused by the use of {{Files#createTempFile()}} in 
> {{plexus-archiver}} to rewrite the original jar file. The method has a 
> restrictive file permission model for security reason but as the temporary 
> file is generated next to the original jar file, and there's no sensitive 
> reason to restrict its access, the restrictive file permission should not be 
> needed.
> The change of permissions causes some issues in some build environment like 
> Github Actions for example (used by Apache Arrow. See 
> https://github.com/apache/arrow/pull/41309 for details)
> Issue has been reported to {{plexus-archiver}} as 
> https://github.com/codehaus-plexus/plexus-archiver/issues/332 with a 
> [fix|https://github.com/codehaus-plexus/plexus-archiver/pull/333] being 
> merged in the project's master branch



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to