james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Norman Maurer ...@byteaction.de>
Subject RE: Maven2 opinions
Date Fri, 02 Jun 2006 14:13:52 GMT
Am Dienstag, den 30.05.2006, 17:26 -0400 schrieb Noel J. Bergman:
> Serge Knystautas wrote:
> 
> > Java has survived for 10+ years without such an attack.
> 
> And for those 10+ years, Java security has been based upon one of two
> things: location and, more recently, signing.  Most jars, e.g., Sun's jars,
> are not signed.  Besides, and not atypically, JAMES does not use Java 2
> security.  So the security a user has when running code is derived from
> trusting its origin.  Automatic installation of code from untrusted sources
> renders such trust foolish at best.
> 
> > There are just too many easier ways to hack systems.
> 
> If security naive approaches such as Maven's prevail they will become
> vectors for easy attack, which is why they are being pushed to fix the
> problem.  The folks on the Maven project do recognize the issue.  They may
> have been naive about security, but they are smart folks.
> 
> > when ant and maven and other methods of automatically downloading
> > support authentication, then great, but I see this as a bogus
> > reason to not use automatic downloads.
> 
> Imagine if someone pushed to a repository a hacked version of JAF such that
> it recognized a special MIME type, and started executing instructions.  Few
> would be the wiser.  Are we having fun yet?
> 
> Paranoia is a positive adaptive trait in a security administrator.
> Especially when you run the code as root!
> 
> 	--- Noel

This is especially why we should test more the usage of commons daemon
to start james and drop the privileges!

bye
Norman


Mime
View raw message