You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Brett Porter (JIRA)" <ji...@codehaus.org> on 2009/07/01 19:22:05 UTC
[jira] Closed: (MNG-3384) Repos defined in plugin are used to
download dependencies
[ http://jira.codehaus.org/browse/MNG-3384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter closed MNG-3384.
-----------------------------
Assignee: Brett Porter
Resolution: Duplicate
Fix Version/s: (was: 2.2.1)
same as linked issues
> Repos defined in plugin are used to download dependencies
> ---------------------------------------------------------
>
> Key: MNG-3384
> URL: http://jira.codehaus.org/browse/MNG-3384
> Project: Maven 2
> Issue Type: Bug
> Components: Artifacts and Repositories, Plugins and Lifecycle
> Affects Versions: 2.0.8
> Reporter: Stefan Seidel
> Assignee: Brett Porter
>
> When a plugin defines a repository, the dependencies declared to and by this plugin are being resolved within these repositories. While this might be easier, it introduces a number of problems, including the fact that it cannot be controlled which repos are being used, security concerns (internal artifact names might be sent to a remote repository, a malicious plugin could define a fake repo with malicious "more recent" versions of almost anything).
> If there is no intention to change the current behaviour, there should be at least an option to disable it.
> More unspecifically, I think the situation got worse in 2.1-SNAPSHOT (I use the m2eclipse plugin), because I see lookups of SNAPSHOT versions of dependencies occur much more often than with 2.0.8.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira