You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Tamás Cservenák <ta...@cservenak.net> on 2021/05/04 07:26:41 UTC
plexus-sec-dispatcher
Howdy,
plexus-sec-dispatcher is a really widely used dependency, is used in maven
itself, but also in many shared components and plugins (nb: there are even
some org.sonatype.plexus:plexus-sec-dispatcher among shared deps!).
Given this module is really maven specific, I see no reason to keep it
"outside" (in codehaus-plexus org), as I am really unaware of anything else
using it. Moreover, the module has a single dependency on plexus-cipher.
Both projects are just a handful of classes.
So, my proposal:
* create maven-sec-dispatcher project (among maven-shared-components)
* collapse the two projects (both has handful of classes,
plexus-sec-dispatcher and plexus-cipher) in there
* org.apache.maven.shared:maven-sec-dispatcher becomes a "drop in"
replacement for org.plexus/org.sonatype.plexus:plexus-sec-dispatcher.
* bonus, this cuts (transitive) dependencies by one as well
WDYT?
Thanks
T
Re: plexus-sec-dispatcher
Posted by Michael Osipov <mi...@apache.org>.
Am 2021-05-04 um 09:26 schrieb Tamás Cservenák:
> Howdy,
>
> plexus-sec-dispatcher is a really widely used dependency, is used in maven
> itself, but also in many shared components and plugins (nb: there are even
> some org.sonatype.plexus:plexus-sec-dispatcher among shared deps!).
>
> Given this module is really maven specific, I see no reason to keep it
> "outside" (in codehaus-plexus org), as I am really unaware of anything else
> using it. Moreover, the module has a single dependency on plexus-cipher.
> Both projects are just a handful of classes.
>
> So, my proposal:
> * create maven-sec-dispatcher project (among maven-shared-components)
> * collapse the two projects (both has handful of classes,
> plexus-sec-dispatcher and plexus-cipher) in there
> * org.apache.maven.shared:maven-sec-dispatcher becomes a "drop in"
> replacement for org.plexus/org.sonatype.plexus:plexus-sec-dispatcher.
> * bonus, this cuts (transitive) dependencies by one as well
A provocative question from my side: Why do we need this at all? It
gives people a false sense of security (common misconception). You
cannot securely encrypt a password w/o having a key in plaintext
somewhere. This is what we do.
See: https://cwiki.apache.org/confluence/display/TOMCAT/Password
One can apply obfuscation like Jetty supports, but that's pretty much
it. A proper solution is to support external credential stores like
Subversion or Git do.
I would rather prefer this in Maven 4.0.0 and remove in 5.0.0.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: plexus-sec-dispatcher
Posted by Tamás Cservenák <ta...@cservenak.net>.
>
>
> would makes sense with changing groupId/artifactId and packages
>
> but cons: release this if needed will take ages because of ASF procedures
>
>
So, understood re ID/package
But forgot about the ASF process... but it would be weird if I want to
"de-plexus" plexus-sec-dispatcher in codehaus-plexus org ... :)
T
Re: plexus-sec-dispatcher
Posted by Olivier Lamy <ol...@apache.org>.
On Tue, 4 May 2021 at 17:27, Tamás Cservenák <ta...@cservenak.net> wrote:
> Howdy,
>
> plexus-sec-dispatcher is a really widely used dependency, is used in maven
> itself, but also in many shared components and plugins (nb: there are even
> some org.sonatype.plexus:plexus-sec-dispatcher among shared deps!).
>
> Given this module is really maven specific, I see no reason to keep it
> "outside" (in codehaus-plexus org), as I am really unaware of anything else
> using it. Moreover, the module has a single dependency on plexus-cipher.
> Both projects are just a handful of classes.
>
> So, my proposal:
> * create maven-sec-dispatcher project (among maven-shared-components)
> * collapse the two projects (both has handful of classes,
> plexus-sec-dispatcher and plexus-cipher) in there
> * org.apache.maven.shared:maven-sec-dispatcher becomes a "drop in"
> replacement for org.plexus/org.sonatype.plexus:plexus-sec-dispatcher.
> * bonus, this cuts (transitive) dependencies by one as well
>
> WDYT?
>
would makes sense with changing groupId/artifactId and packages
but cons: release this if needed will take ages because of ASF procedures
:)
> Thanks
> T
>
Re: plexus-sec-dispatcher
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
Changing artifact and group ID but leaving package names the same is a
recipe for classpath conflicts and broken builds:
https://jlbp.dev/JLBP-6
https://jlbp.dev/JLBP-19
If you change the artifact ID, change package names too. There's no
such thing as a drop-in replacement with a different ID.
On Tue, May 4, 2021 at 7:27 AM Tamás Cservenák <ta...@cservenak.net> wrote:
>
> Howdy,
>
> plexus-sec-dispatcher is a really widely used dependency, is used in maven
> itself, but also in many shared components and plugins (nb: there are even
> some org.sonatype.plexus:plexus-sec-dispatcher among shared deps!).
>
> Given this module is really maven specific, I see no reason to keep it
> "outside" (in codehaus-plexus org), as I am really unaware of anything else
> using it. Moreover, the module has a single dependency on plexus-cipher.
> Both projects are just a handful of classes.
>
> So, my proposal:
> * create maven-sec-dispatcher project (among maven-shared-components)
> * collapse the two projects (both has handful of classes,
> plexus-sec-dispatcher and plexus-cipher) in there
> * org.apache.maven.shared:maven-sec-dispatcher becomes a "drop in"
> replacement for org.plexus/org.sonatype.plexus:plexus-sec-dispatcher.
> * bonus, this cuts (transitive) dependencies by one as well
>
> WDYT?
>
> Thanks
> T
--
Elliotte Rusty Harold
elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org