I would of thought it would be better practice to keep a clean separation between your pom.xml and settings.xml where any sensitive server information goes in your settings.xml
However, if you are worried that someone knowing a URL to an internal server is a security risk, then I would suggest you have bigger problems with your security infrastructure. As a developer, it it fantastically useful to have the pom's available even when working with closed (or non-open) source products. On 19 November 2013 02:16, Paul Benedict <[email protected]> wrote: > My personal opinion for closed-source products is not to include the > generated POM. If someone somehow stole your proprietary jar, the POM might > help to find out where to steal the rest -- URL locations and custom > properties, in particular. > > > > > On Mon, Nov 18, 2013 at 7:46 PM, Tang Kin Chuen <[email protected]> wrote: > >> Same here. >> >> Just wondering if it's common practice for close sourced products to remove >> maven manifest info from jars... something we cannot search in open source >> codes! :-) >> >> I am hoping to get an authoritative reference that says it's OK to leave it >> there. >> On Nov 19, 2013 9:40 AM, "Adam Retter" <[email protected]> wrote: >> >> > I would be interested to know what your peers perceive the security >> > concerns as being? >> > >> > On 19 November 2013 01:22, Tang Kin Chuen <[email protected]> wrote: >> > > Hi guys, >> > > >> > > Are there any security concerns in leaving the default pom file(s) in >> > > meta-inf of generated jars for "commercial products"? >> > > >> > > I find it useful to leave it there for troubleshooting purpose, >> thinking >> > > that there is not much security concerns but my peers are thinking >> > > otherwise. >> > > >> > > I would like to seek some advise/opinions on this topic. >> > > >> > > Cheers! >> > >> > >> > >> > -- >> > Adam Retter >> > >> > skype: adam.retter >> > tweet: adamretter >> > http://www.adamretter.org.uk >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> > >> > > > > -- > Cheers, > Paul -- Adam Retter skype: adam.retter tweet: adamretter http://www.adamretter.org.uk --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
