On Sun, Feb 15, 2009 at 4:43 PM, Robert Burrell Donkin <[email protected]> wrote: > On Sun, Feb 15, 2009 at 3:55 PM, Stefano Bagnara <[email protected]> wrote: >> Oleg Kalnichevski ha scritto: >>> Markus Wiederkehr wrote: >>>> On Mon, Feb 9, 2009 at 7:53 PM, Oleg Kalnichevski <[email protected]> > > <snip> > >>>> Is maven version 2.0.6 still sufficient? >>>> And for me "mvn package" always did the job; no -U, no -Plocal.. >>>> >>> >>> Neither option is required. I guess -Plocal can come handy when building >>> packages while off-line. >> >> -Plocal has been introduced as a *compromise* by me 2 years ago, after >> working weeks (if not months) trying to satisfy really strict security >> requirements from other PMC members. They was rejecting the use of maven >> to make releases if this meant to use remote repositories because of >> security concerns. > > i never really understood the detail behind these concerns > > maven uses lots of dependencies, many of which it downloads. so, the > direct way to infect a release would be by compromising the build tool > itself (maven). compromising a released jar through a malware compile > time dependency sounds like something which would require a lot of > skill. > > if maven isn't secure enough then it should be used at all ^^^^^^^^ shouldn't be
- robert
