ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ara Abrahamian" <>
Subject RE: Ant Security
Date Fri, 12 Jul 2002 08:09:16 GMT
I'm sure users will end up becoming more confused: "hey but I have
version x of library y but ant downloaded version z and it doesn't work
any more". Or "I'm building a project at home and although I have
junit.jar but Ant suddenly decided to download it again from the site
over my slow connection". And automatic start of updates without the
user approving it is bad imho.

Imho a better solution is: define in antlib's deployment descriptor
files which jars the task depends upon and show an error message if that
jar is not found. That's exactly what we're doing in XDoclet 1.2. So if
you use webdoclet but javax.servlet is missing we show an error message
according to the <class-dependency/> of the module.xml descriptor file.


> -----Original Message-----
> From:
> Sent: Tuesday, July 09, 2002 4:55 PM
> To: Ant Developers List
> Subject: Ant Security
> I see a lot of discussion in the antlib/ant2 threads about automatic
> download of required jars. To me this raises some security concerns.
> would be quite simple for this mechanism to be abused to load
> unauthorized code onto a user's machine. Already, today, the ability
> <get> and <exec> exists. The addition of proxy capability will only
> this easier.
> I've started to address this in Mutant with a simple policy file. I
> reorganize the directory structure to make it more convenient for
> specifying the policy permissions.
> Anyway, I though it was worth raising the issue now for discussion
> especially as the concept of an Ant1 antlib is again on the agenda.\
> Thoughts?
> Conor
> --
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message