On 3/14/2015 10:14 PM, Arun Gupta wrote:
> Wayne,
>
> See in line ...
>
> On Sat, Mar 14, 2015 at 4:06 PM, Wayne Pollock <pollock_at_acm.org> wrote:
>> ...
>> Maven scares me. As far as I can tell from the Google searching I've
>> done, the Maven central repository consists of unsigned contributed code.
>> The maven tool automatically downloads, installs, and runs such code. I
>> can't imagine how much longer it will be, before malware makes its way
>> into developers' PCs, and ultimately to servers, using maven as an
>> attack vector.
>
> Maven is indeed scary, but a pragmatic reality. So we all have to get
> used to it :)
I don't agree with that. I can imagine legal liability issues if you
use Maven on a production server, knowing its security holes exist.
I know there are alternatives such as ant tasks. (Those aren't signed
either, but at least you must manually download and install them, so
you have a chance to examine them for malware before use.)
In any case, I don't like telling students that "Java EE is all
hand-waving, GUI and/or "mvn deploy" commands, and never mind
understanding it all; just click here, then click there, and that's
Java EE programming."
>
> Have you looked at https://github.com/javaee-samples/javaee7-samples
> that shows Hello World samples for different Java EE 7 technologies?
> They can run against WildFly or GlassFish.
>
> There is also https://github.com/javaee-samples/javaee7-simple-sample
> that is a simple sample to showcase different Java EE 7 technologies.
>
I have. They too use Maven.
>> ...
> Have you looked at
> http://www.mastertheboss.com/jboss-server/wildfly-8/maven-configuration-for-java-ee-7-projects-on-wildfly?
>
>
I have. I like the site MasterTheBoss.com, but all the tutorials there use
Maven, Eclipse, or Netbeans. I don't mind that really, I use Eclipse myself.
But I do like explanations on what the tools are doing so one can visualize
the sub-tasks, trouble-shoot setups, transfer the knowledge to a new
toolset (and we all know that sooner or later, there will be new tools!),
and roll-your-own deployment scripts if you want. I like to examine downloaded
WAR files in 7-zip, and assess their quality. Without understanding of
manifest files, I would never have found the cause of the GF 4.01 bugs.
I believe these skills are important, if not for the beginner to have, at
least important for a beginner to know about. That's why I would like at
least a Hello, World that used basic deployment and compilation tools,
and comments in other tutorials about what has been left out for clarity,
with pointers to, say, the CERT/Oracle secure coding website.
(FYI, I have a Java code signing demo and tutorial at
<
http://wpollock.com/AJava/SignedCodeDemo/>, if anyone is interested.
Given Oracle's directions, learning code signing is important. (And
no, I'm not interested in any tutorial that just states
"use mvn sign". :-)
> Arun
>> ...
--
Wayne Pollock