jrudolph commented on code in PR #615: URL: https://github.com/apache/pekko-http/pull/615#discussion_r1792980640
########## build.sbt: ########## @@ -22,6 +22,7 @@ import com.lightbend.paradox.apidoc.ApidocPlugin.autoImport.apidocRootPackage sourceDistName := "apache-pekko-http" sourceDistIncubating := false +ThisBuild / resolvers += Resolver.ApacheMavenSnapshotsRepo Review Comment: :+1: Good that we could remove it and that it is not enabled by default. I agree here with Arnout, regardless of potential measurements to limit a potential security problem, adding custom resolvers in the maven/sbt landscape is a big risk which you don't want to push onto every developer working with a repository by default. Since the maven universe has basically no effective mechanism to check against malicious dependencies (or limit the exposure e.g. by checking signatures, or restricting resolvers to certain artifacts), it is not enough to limit against known attack vectors but it is important to also limit the attack surface itself. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org For additional commands, e-mail: notifications-h...@pekko.apache.org
