sdedic commented on PR #7655: URL: https://github.com/apache/netbeans/pull/7655#issuecomment-2289748620
Re.: trust - Maven is in a little better than gradle here. As maven is declarative (with exceptions of scripting plugins), the malicious artifact would have to come from a repository .... so if - the project ONLY uses trusted(*) repositories - it does not use user-code-executing(*) (scripting) plugins ... then it's moderately safe to execute the build tool Gradle is bad, since the build.gradle checked out from a random github is executable itself, so trust needs to be tight. In fact I originally had a prototype of ProjectTrust ;)) similar to Gradle that would just mark a folder (or its parent) as 'trusted' + TrustProvider SPI that could (based on its own logic) make a project (folder) trusted. But I shelved into the work queue :) IMHO these policymaking discussions should happen on mailing list perhaps to get broader attention. I would like to trim down the discussion in this PR just to things that the API (or its maven impl) makes "more open" than they are now (IMHO: none, as things like priming or force-maven-load can be done with Maven friend apis even now) * -- we don't have a configuration/setting for that :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
