Maven 安全问题 [英] Maven Security Concerns

问题描述

使用 Maven 是否存在安全问题?我今天将 Ant 用于我的主要项目，但我确实将 Maven 用于我编写程序峰值的示例"项目.我确实喜欢 Maven 的某些部分，但担心通过该工具下载我的 jar.这是一个毫无根据的担忧吗?http://repo1.maven.org/maven2/"有多安全?有没有更安全的工具使用方式?

Are there security concerns with using Maven? I use Ant today for my main project, but I do use Maven for my "samples" project where I write program spikes. I do like some parts of Maven, but have a concern with downloading my jars through the tool. Is this an unfounded concern? How secure is "http://repo1.maven.org/maven2/"? Is there a more secure way of using the tool?

谢谢.

推荐答案

它非常安全和标准.如果 http://repo1.maven.org/maven2/ 的安全性受到威胁，将会有在 Java 开发者中有很大的反响.我从来没有听说过这个网站被黑了.

It's pretty secure and standard. If ever the security of http://repo1.maven.org/maven2/ is compromised, there will have big repercussion in Java devs. I never heard that this site is hacked.

也就是说，您不受默认存储库的限制.您可以使用 Nexus、Artifactory 并手动为它们安装安全工件.您还可以使用 Nexus/Artifactory 设置阻止远程存储库.虽然，我从来不需要这样做.但是看看这里，也许有可能.

That said, you are not bounded by default repository. You can configure your own repository using Nexus, Artifactory and install safe artifacts manually to them. You may also block remote repositories using Nexus/Artifactory setting. Although, I never needed to do this. But look here, perhaps it's possible.

请注意，您必须阻止本地存储库才能使用repo1"，否则本地存储库默认会从那里下载工件.

Please note that you will have to block your local repository to use "repo1", else the local repository will download artifacts from there by default.

编辑 1:添加缺失的链接

这篇关于Maven 安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！