james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Knystautas" <sknystau...@gmail.com>
Subject Re: Maven2 opinions
Date Tue, 30 May 2006 16:35:57 GMT
On 5/29/06, Noel J. Bergman <noel@devtech.com> wrote:
> team indicates they don't support.  Second, and more importantly, they must
> handle authentication of signed artificts.  Without the latter, I would
> sooner include the necessary jars, or require the user to download them
> directly from a vendor site.  Automatic downloading and installation without
> verification is wrong, dangerous and irresponsible.  I don't mean signed
> jars in the Java sense of jar signing.  I mean signed as in the ASF release
> methodology.

I think this is just a bunch of FUD.  Java has survived for 10+ years
without such an attack.  There are just too many easier ways to hack

Obviously when ant and maven and other methods of automatically
downloading support authentication, then great, but I see this as a
bogus reason to not use automatic downloads.

Serge Knystautas
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message