james-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: website updated, maven2 poms, temporary repository, new artifacts
Date Sat, 29 Jul 2006 17:10:23 GMT

> As you already noticed the new site is 42MB

Yes.  Discussed that in another thread.

> > I continue to refuse to condone the use of Maven repositories until they
> > the security issues.

> I still don't understand the security issues.

The fact that Maven naively downloads things and never verifies them.  This
is an unconscionably naive behavior, as they are well aware by now.  And,
yes, they are being pushed to fix this.

When it comes to security, I (and most of the rest of infrastructure) tend
to be extremely conservative.  And, no, I am not looking forward to Web 2.0,
which I believe will, for quite some time, make MS-Windows look secure in
comparsion.  But I digress ...

> You can manually check signatures of downloaded jars as you would do
> with manual downloads.

Few if any ever do.  More, but not nearly enough, do when they download
manually, and a percentage close to nil do when the tool automates the
download process.

> > More importantly, if [it] is a correct fact, as you state and Alex also
> > mentioned as a proble, that you need to create a repository for maven to
> > work at all is reason to not use Maven.  If maven cannot work
standalone, it
> > should not be used.  Please tell me that Maven is not really that stupid
> > build system.

> Well, it seems that you're really against maven at all.

Read the above again.  What I said is that IF Maven cannot run disconnected,
THEN I am against using it.  YES.  Absolutely.  But if Maven CAN run
disconnected, then the predicate is false.  And you appear to be saying that
it can ...

> I could change the configuration to use local jars [instead]
> of using repositories

So that would solve the problem?

> but maven repositories are really a good thing.  IMO they are
> the solution, not the problem.

A solution to what?

I want to run svn up, then be disconnected from the Internet, and still be
able to work.

> Furthermore I currently use it in server code just to create the
> website.

As a practical matter, I'm more concerned about our project builds than the
web-site builds, although I'd like to be able to do everything while

	--- Noel

View raw message