james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Knystautas" <sknystau...@gmail.com>
Subject Re: Maven2 opinions
Date Tue, 30 May 2006 16:35:57 GMT
On 5/29/06, Noel J. Bergman <noel@devtech.com> wrote:
> team indicates they don't support.  Second, and more importantly, they must
> handle authentication of signed artificts.  Without the latter, I would
> sooner include the necessary jars, or require the user to download them
> directly from a vendor site.  Automatic downloading and installation without
> verification is wrong, dangerous and irresponsible.  I don't mean signed
> jars in the Java sense of jar signing.  I mean signed as in the ASF release
> methodology.

I think this is just a bunch of FUD.  Java has survived for 10+ years
without such an attack.  There are just too many easier ways to hack
systems.

Obviously when ant and maven and other methods of automatically
downloading support authentication, then great, but I see this as a
bogus reason to not use automatic downloads.

-- 
Serge Knystautas
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message