On Sat, Mar 14, 2015 at 4:06 PM, Wayne Pollock <pollock_at_acm.org> wrote:
> It is a fine idea, well implemented. Yet, I do have concerns I'd like
> to discuss.
>
> Too many of these tutorials rely on GUIs and/or maven. The result is
> a lack of understanding of the underlying processes. I would like to
> see *just one* "Hello EE world" tutorial that describes compiling and
> deploying a WAR using nothing but javac and jar. Once the basics of
> how EE works (the directory structure of a WAR, the proper setting of
> CLASSPATH, etc.) is done, *then* is the time to go on to teaching the
> Java EE technologies using automation and GUIs, if you wish.
>
> Maven scares me. As far as I can tell from the Google searching I've
> done, the Maven central repository consists of unsigned contributed code.
> The maven tool automatically downloads, installs, and runs such code.
> I can't imagine how much longer it will be, before malware makes its
> way into developers' PCs, and ultimately to servers, using maven as an
> attack vector.
In the early days of Maven Central, unsigned code was indeed uploaded into the repo. That hasn’t been true for years. All contributions now must be signed, and must include source code and javadoc. Yes, there is still some level of trust required in using open source projects of any kind, but the folks who run Maven Central have taken steps to try to minimize the risk. In Maven 1, the tool used to download the latest version of all of its plugins - that is, once again, no longer true. Once you have a project working, it will not download new versions unless you specifically update your project definition. Nowadays, the biggest challenge is that you have to learn how to use Maven, and it has its own ideas of what to do.
(As my signature indicates, I’ve published a video course on Maven to help with such questions).
----
Author, Getting Started with Apache Maven <https://www.packtpub.com/application-development/getting-started-apache-maven-video>