[
http://jira.codehaus.org/browse/MNG-3384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brian Fox updated MNG-3384:
---------------------------
Fix Version/s: 2.0.10
> Repos defined in plugin are used to download dependencies
> ---------------------------------------------------------
>
> Key: MNG-3384
> URL: http://jira.codehaus.org/browse/MNG-3384
> Project: Maven 2
> Issue Type: Bug
> Components: Artifacts and Repositories, Plugins and Lifecycle
> Affects Versions: 2.0.8
> Reporter: Stefan Seidel
> Fix For: 2.0.10
>
>
> When a plugin defines a repository, the dependencies declared to and by this
> plugin are being resolved within these repositories. While this might be
> easier, it introduces a number of problems, including the fact that it cannot
> be controlled which repos are being used, security concerns (internal
> artifact names might be sent to a remote repository, a malicious plugin could
> define a fake repo with malicious "more recent" versions of almost anything).
> If there is no intention to change the current behaviour, there should be at
> least an option to disable it.
> More unspecifically, I think the situation got worse in 2.1-SNAPSHOT (I use
> the m2eclipse plugin), because I see lookups of SNAPSHOT versions of
> dependencies occur much more often than with 2.0.8.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
