Stefano Bagnara wrote: > Noel J. Bergman wrote: >>> The fourth solution would be to add ibiblio as the last repository in >>> the pom.xml >> Please don't encourage people who don't know the risks to use insecure >> repositories. >> >> Explain the right way: setup a local repository, download and verify >> the artifacts, add them to your local repository.
> Do you do this when you say people to download ant? They should download > ant, verify it and then use it, but you simply say "download ant" :-) See the first hyperlink in the first sentence of http://ant.apache.org/bindownload.cgi. For that matter, the entire first paragraph. YES, we tell people to verify their downloads! > You quoted the second sentence from my mail. In the first sentece I was > explaing that it was not automatically downloaded because we removed > ibiblio repository because it is *untrusted*. > I believe Guillermo is smart enough to read 2 related sentences ;-) Sure, but since Guillermo is not familiar with Maven, being smart doesn't mean that he will immediately make the connection to the security exposure. Particularly if English is not his primary language, as well as Maven not being his primary build tool. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
