[
https://issues.apache.org/jira/browse/MJAR-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17957089#comment-17957089
]
Matthias Bünger commented on MJAR-309:
--------------------------------------
This project has moved from Jira to GitHub Issues. This issue was migrated to
[apache/maven-jar-plugin#196|https://github.com/apache/maven-jar-plugin/issues/196].
Please visit the GitHub issue to view further activity, add comments, or
subscribe to receive notifications.
> Modular Jar file permissions changed when fixing modification time
> ------------------------------------------------------------------
>
> Key: MJAR-309
> URL: https://issues.apache.org/jira/browse/MJAR-309
> Project: Maven JAR Plugin (Moved to GitHub Issues)
> Issue Type: Bug
> Affects Versions: 3.4.1
> Reporter: Laurent Goujon
> Priority: Minor
>
> When a new modular jar file is generated with {{maven-jar-plugin}} with Java
> 11, the final permissions of the file are restricted to the current user
> instead of using the environment umask which usually allows for group and
> other users to access the file as well.
> This is caused by the use of {{Files#createTempFile()}} in
> {{plexus-archiver}} to rewrite the original jar file. The method has a
> restrictive file permission model for security reason but as the temporary
> file is generated next to the original jar file, and there's no sensitive
> reason to restrict its access, the restrictive file permission should not be
> needed.
> The change of permissions causes some issues in some build environment like
> Github Actions for example (used by Apache Arrow. See
> https://github.com/apache/arrow/pull/41309 for details)
> Issue has been reported to {{plexus-archiver}} as
> https://github.com/codehaus-plexus/plexus-archiver/issues/332 with a
> [fix|https://github.com/codehaus-plexus/plexus-archiver/pull/333] being
> merged in the project's master branch
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
