ChrisStevenson

ChrisStevenson has just moved to London from Australia, basically for a change of scenery.

He maintains a weblog at http://cgi.skizz.plus.com/blog/dev

He is employed by ThoughtWorks and has been involved in XP for 5 years, after introducing it at his previous employer as part of a sneaky agenda to move from VB to Java.

Chris, I haven't found an email address for you so I hope you see this.

I've come up with another couple of gripes about Maven web sites after last XtC. The xdoc-to-HTML translator:

• creates awful HTML that doesn't respect whitespace in the original text.
• creates invalid HTML that contains multiple elements with the same id

Also, I pulled the Maven code out of CVS and had a look through it. My suspicions about its security seem to be correct. It pulls back JAR files over unsecured HTTP and then checks by comparing MD5 checksums with checksums downloaded from the same site. If the checksums are equal it then runs the downloaded code with the permissions of the user. The vulnerabilities to man-in-the-middle spoofing attacks or a compromise of the repository server are obvious.

What is surprising is that these vulnerabilities exist in a project that has appointed itself as an example of best practices for projects written in Java, a language that was expressly designed to securely execute code downloaded over hostile networks. Why have the Maven team not used any of Java's security features?

--NatPryce