Serge Knystautas wrote:

> Java has survived for 10+ years without such an attack.

And for those 10+ years, Java security has been based upon one of two
things: location and, more recently, signing.  Most jars, e.g., Sun's jars,
are not signed.  Besides, and not atypically, JAMES does not use Java 2
security.  So the security a user has when running code is derived from
trusting its origin.  Automatic installation of code from untrusted sources
renders such trust foolish at best.

> There are just too many easier ways to hack systems.

If security naive approaches such as Maven's prevail they will become
vectors for easy attack, which is why they are being pushed to fix the
problem.  The folks on the Maven project do recognize the issue.  They may
have been naive about security, but they are smart folks.

> when ant and maven and other methods of automatically downloading
> support authentication, then great, but I see this as a bogus
> reason to not use automatic downloads.

Imagine if someone pushed to a repository a hacked version of JAF such that
it recognized a special MIME type, and started executing instructions.  Few
would be the wiser.  Are we having fun yet?

Paranoia is a positive adaptive trait in a security administrator.
Especially when you run the code as root!

        --- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to