[ http://jira.codehaus.org/browse/MNG-3384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Fox updated MNG-3384: --------------------------- Fix Version/s: 2.0.10 > Repos defined in plugin are used to download dependencies > --------------------------------------------------------- > > Key: MNG-3384 > URL: http://jira.codehaus.org/browse/MNG-3384 > Project: Maven 2 > Issue Type: Bug > Components: Artifacts and Repositories, Plugins and Lifecycle > Affects Versions: 2.0.8 > Reporter: Stefan Seidel > Fix For: 2.0.10 > > > When a plugin defines a repository, the dependencies declared to and by this > plugin are being resolved within these repositories. While this might be > easier, it introduces a number of problems, including the fact that it cannot > be controlled which repos are being used, security concerns (internal > artifact names might be sent to a remote repository, a malicious plugin could > define a fake repo with malicious "more recent" versions of almost anything). > If there is no intention to change the current behaviour, there should be at > least an option to disable it. > More unspecifically, I think the situation got worse in 2.1-SNAPSHOT (I use > the m2eclipse plugin), because I see lookups of SNAPSHOT versions of > dependencies occur much more often than with 2.0.8. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira