[jira] [Commented] (FLINK-4732) Maven junction plugin security threat
[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15545403#comment-15545403 ] ASF GitHub Bot commented on FLINK-4732: --- Github user mxm commented on the issue: https://github.com/apache/flink/pull/2586 Merged to `master` and `release-1.1`. @uce I also like the symbolic link. I contacted the maintainer of the plugin because it wouldn't be hard to fix this nowadays with Java 7+ which supports the creation of symbolic links. I think the lack of this was the reason why the author chose to download a binary. However, I don't know why he didn't simply ship it with the jar which should have been possible. > Maven junction plugin security threat > - > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: Maximilian Michels >Assignee: Maximilian Michels >Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FLINK-4732) Maven junction plugin security threat
[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15545390#comment-15545390 ] ASF GitHub Bot commented on FLINK-4732: --- Github user asfgit closed the pull request at: https://github.com/apache/flink/pull/2586 > Maven junction plugin security threat > - > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: Maximilian Michels >Assignee: Maximilian Michels >Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FLINK-4732) Maven junction plugin security threat
[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15545385#comment-15545385 ] ASF GitHub Bot commented on FLINK-4732: --- Github user mxm commented on the issue: https://github.com/apache/flink/pull/2586 Merging to both branches. > Maven junction plugin security threat > - > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: Maximilian Michels >Assignee: Maximilian Michels >Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FLINK-4732) Maven junction plugin security threat
[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15544936#comment-15544936 ] ASF GitHub Bot commented on FLINK-4732: --- Github user uce commented on the issue: https://github.com/apache/flink/pull/2586 Thanks! It's good to address this. I really liked the symbolic link, maybe we can enable it again after this has been resolved by the Maven plugin. +1 to merge this to `master` and `release-1.1` branches. > Maven junction plugin security threat > - > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: Maximilian Michels >Assignee: Maximilian Michels >Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FLINK-4732) Maven junction plugin security threat
[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15544871#comment-15544871 ] ASF GitHub Bot commented on FLINK-4732: --- Github user mxm commented on the issue: https://github.com/apache/flink/pull/2586 CC @uce > Maven junction plugin security threat > - > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: Maximilian Michels >Assignee: Maximilian Michels >Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FLINK-4732) Maven junction plugin security threat
[ https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15544870#comment-15544870 ] ASF GitHub Bot commented on FLINK-4732: --- GitHub user mxm opened a pull request: https://github.com/apache/flink/pull/2586 [FLINK-4732] remove maven junction plugin On Windows, the plugin may download code from the author's web site. The downloaded file is not signed in the same way as Maven artifacts from Maven central which have to be signed with the developer's key. This could be a potential target for attackers. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mxm/flink FLINK-4732 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flink/pull/2586.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2586 commit dcdac00a0432f66bbf2992c8cfcc502d41a7d8c2 Author: Maximilian MichelsDate: 2016-10-04T09:12:35Z [FLINK-4732] remove maven junction plugin On Windows, the plugin may download code from the author's web site. The downloaded file is not signed in the same way as Maven artifacts from Maven central which have to be signed with the developer's key. This could be a potential target for attackers. > Maven junction plugin security threat > - > > Key: FLINK-4732 > URL: https://issues.apache.org/jira/browse/FLINK-4732 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: Maximilian Michels >Assignee: Maximilian Michels >Priority: Critical > Fix For: 1.2.0, 1.1.3 > > > We use the Maven Junction plugin > http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html > to create a symbolic link to the build directory. On Windows, the plugin > downloads an executable from the author's homepage which may be modified by > an attacker. The plugin has not been updated since 2007 and the maintainer > has not shown interest to fix the issue. > I propose to remove the plugin while this security threat persists. -- This message was sent by Atlassian JIRA (v6.3.4#6332)