users@glassfish.java.net

[gf-users] Re: Java EE 7 Hands-on-Lab Updated (for You to Use)

From: Markus Karg <karg_at_quipsy.de>
Date: Mon, 16 Mar 2015 08:35:51 +0100

Please tell me one single case where Maven actually induced the Malware problem you describe, so I can forward the case to the Maven project lead.

Regards
-Markus

-----Ursprüngliche Nachricht-----
Von: Wayne Pollock [mailto:pollock_at_acm.org]
Gesendet: Sonntag, 15. März 2015 05:42
An: users_at_glassfish.java.net
Betreff: [gf-users] Re: Java EE 7 Hands-on-Lab Updated (for You to Use)

On 3/14/2015 10:14 PM, Arun Gupta wrote:
> Wayne,
>
> See in line ...
>
> On Sat, Mar 14, 2015 at 4:06 PM, Wayne Pollock <pollock_at_acm.org> wrote:
>> ...
>> Maven scares me. As far as I can tell from the Google searching I've
>> done, the Maven central repository consists of unsigned contributed code.
>> The maven tool automatically downloads, installs, and runs such code.
>> I can't imagine how much longer it will be, before malware makes its
>> way into developers' PCs, and ultimately to servers, using maven as
>> an attack vector.
>
> Maven is indeed scary, but a pragmatic reality. So we all have to get
> used to it :)

I don't agree with that. I can imagine legal liability issues if you use Maven on a production server, knowing its security holes exist.

I know there are alternatives such as ant tasks. (Those aren't signed either, but at least you must manually download and install them, so you have a chance to examine them for malware before use.)

In any case, I don't like telling students that "Java EE is all hand-waving, GUI and/or "mvn deploy" commands, and never mind understanding it all; just click here, then click there, and that's Java EE programming."

>
> Have you looked at https://github.com/javaee-samples/javaee7-samples
> that shows Hello World samples for different Java EE 7 technologies?
> They can run against WildFly or GlassFish.
>
> There is also https://github.com/javaee-samples/javaee7-simple-sample
> that is a simple sample to showcase different Java EE 7 technologies.
>

I have. They too use Maven.

>> ...

> Have you looked at
> http://www.mastertheboss.com/jboss-server/wildfly-8/maven-configuration-for-java-ee-7-projects-on-wildfly?
>
>

I have. I like the site MasterTheBoss.com, but all the tutorials there use Maven, Eclipse, or Netbeans. I don't mind that really, I use Eclipse myself.

But I do like explanations on what the tools are doing so one can visualize the sub-tasks, trouble-shoot setups, transfer the knowledge to a new toolset (and we all know that sooner or later, there will be new tools!), and roll-your-own deployment scripts if you want. I like to examine downloaded WAR files in 7-zip, and assess their quality. Without understanding of manifest files, I would never have found the cause of the GF 4.01 bugs.

I believe these skills are important, if not for the beginner to have, at least important for a beginner to know about. That's why I would like at least a Hello, World that used basic deployment and compilation tools, and comments in other tutorials about what has been left out for clarity, with pointers to, say, the CERT/Oracle secure coding website.

(FYI, I have a Java code signing demo and tutorial at <http://wpollock.com/AJava/SignedCodeDemo/>, if anyone is interested.
Given Oracle's directions, learning code signing is important. (And no, I'm not interested in any tutorial that just states "use mvn sign". :-)

> Arun
>> ...

--
Wayne Pollock
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.