On Fri, Mar 23, 2012 at 3:09 PM, Sander Mak <[email protected]> wrote: > What do you guys do in practice to prevent this? Does anyone have real-life > experience with such an attack?
I think you raise some really good questions here, some that I've thought about before, but skipped over because "I don't have time to think about those things" :-) This is where organizations like the Apache Software Foundation are helpful. Apache frowns upon projects that don't make releases every so often, so you're likely to have a somewhat recent release of an apache product. It's up to you and your dependent software projects to ensure you're using the later releases. But in the end, we can't rely on Maven, Nexus, Apache, nor anyone else to do our due diligence for us. If our project includes a few dozen jars pulled in from who knows where (as do most) we must check the provenance of the bits we're including. Who does that? I know I don't do that enough. As an aside, do you know if Artifactory contains the PGP checking feature that Nexus does? We've been using the open-source version of Nexus and are in the process of switching to the pro version of Artifactory. Greg -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
