In defense of Stefano, I will say that I know the risks, and he advert to my
from the risks, and I never have worked with Maven, I do not know how-to
doing all that that you comment, so the explanation that Stefano has given
me was the suitable one to my situation. He has given me the option to
choose (and this is important to me, and the people).
Red pill or Blue pill? :-)
But IMHO it would be good that in jSPF-Trunk there was the explanation like
which there is in James-Server-Trunk (BUILDING.txt)...
for the dummies like I! :-)
Sidenote: My primary build tool is javac & black console ;-)
Thanks to both!
Guillermo
----- Original Message -----
SB>>>> The fourth solution would be to add ibiblio as the last repository in
SB>>>> the pom.xml
NJ>>> Please don't encourage people who don't know the risks to use insecure
NJ>>> repositories.
NJ>>> Explain the right way: setup a local repository, download and verify
NJ>>> the artifacts, add them to your local repository.
SB>> Do you do this when you say people to download ant? They should
SB>> download ant, verify it and then use it, but you simply say "download
SB>> ant" :-)
NJ> See the first hyperlink in the first sentence of
NJ> http://ant.apache.org/bindownload.cgi
NJ> For that matter, the entire first paragraph. YES, we tell people to
NJ> verify their downloads!
SB>> You quoted the second sentence from my mail. In the first sentece I was
SB>> explaing that it was not automatically downloaded because we removed
SB>> ibiblio repository because it is *untrusted*.
SB>> I believe Guillermo is smart enough to read 2 related sentences ;-)
NJ> Sure, but since Guillermo is not familiar with Maven, being smart
NJ> doesn't mean that he will immediately make the connection to the
NJ> security exposure.
NJ> Particularly if English is not his primary language, as well as Maven
NJ> not being his primary build tool.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
