Ok, in no particular order, and most concerns are not necessarily security:
1. I download and use a jar who does something evil besides its stated purpose. For example suppose someone hacks a xerces implementation and I build with it. 2. Two people down load the same named and versioned jar at different times. But for some reason the jars are not the same (perhaps one was quickly patched without a version change). One person's works, one person's doesn't. 3. I download and use a jar which is no longer supported. 4. I download and use a jar who's license (which I don't read or understand) makes my company liable for damages. I guess most of these issues relate to how to use open source software in a safe and responsible way. Anyway I'm trying to figure this stuff out before someone at the management level raises difficult questions. -c. helck -----Original Message----- From: Carlos Sanchez [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 3:34 PM To: 'Maven Users List' Subject: RE: Security question about remote repositories. Also I'd like to hear those concerns. > -----Original Message----- > From: Helck, Christopher [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 29, 2004 8:39 PM > To: Maven Users List > Subject: Security question about remote repositories. > > > Maven makes it very easy to download and use jars off the > web. I think this is good, but a security expert has raised > some concerns about it. > Can anyone suggest a set of policies to use when determining > which packages to use and how/when to download them? I'm > thinking along the lines of creating a local repository > behind our firewall and only moving "approved" packages from > www.ibiblio.org/maven to it. Any suggests would be helpful. > > Thanks, > C. Helck > > > The information contained in this e-mail is confidential. > This e-mail is intended only for the stated addressee. If > you are not an addressee, you must not disclose, copy, > circulate or in any other way use or rely on the information > contained in this e-mail. if you have received this e-mail in > error, please inform us immediately and delete it and all > copies from your system. > > EBS Dealing Resources International Limited. Registered > address: 55-56 Lincoln's Inn Fields, London WC2A 3LJ, United > Kingdom. Registered number 2633663. > > EBS Dealing Resources, Inc, registered in Delaware. Address: > 535 Madison Avenue, 24th Floor, New York, NY 10022, USA, and > One upper Pond road, Building F - Floor 3, Parsippany, NJ 07054, USA. > > EBS Dealing Resources Japan Limited, a Japanese Corporation. > Address: Asteer Kayabacho Bldg, 6th Floor, 1-6-1, Shinkawa, > Chuo-Ku, Tokyo 104-0033, Japan. > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] The information contained in this e-mail is confidential. This e-mail is intended only for the stated addressee. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this e-mail. if you have received this e-mail in error, please inform us immediately and delete it and all copies from your system. EBS Dealing Resources International Limited. Registered address: 55-56 Lincoln's Inn Fields, London WC2A 3LJ, United Kingdom. Registered number 2633663. EBS Dealing Resources, Inc, registered in Delaware. Address: 535 Madison Avenue, 24th Floor, New York, NY 10022, USA, and One upper Pond road, Building F - Floor 3, Parsippany, NJ 07054, USA. EBS Dealing Resources Japan Limited, a Japanese Corporation. Address: Asteer Kayabacho Bldg, 6th Floor, 1-6-1, Shinkawa, Chuo-Ku, Tokyo 104-0033, Japan. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
