Nexus security
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Nexus security
by Rob ten Hove
::
Rate this Message:
Currently me and my collegues are farily close to introducing Nexus in our company. But before we are allowed to buy/use it, our security department has to agree with it. They have asked about possible backdoors in Nexus and about the security policy of Nexus. What happens when a security issue is discovered? How are users notified and what about the availability of patches?
Can someone from Sonatype give some more info about this? Thanks in advance for your reaction(s), Rob ten Hove |
|
|
Re: Nexus security
by Brian Fox
::
Rate this Message:
If we uncover or are notified of any issues that potentially affect
production systems, we notify the user list (and the pro user list) right away and provide patches as soon as possible. This has happened only a few times in the past with scheduled task problems or conditions we've uncovered that could cause out of memory errors. We use Nexus to host our own repository and always run releases there for several days minimum before publishing a release, so that helps us discover any potential issues before it ever hit's the download site. On Fri, Oct 16, 2009 at 7:19 AM, Rob ten Hove <rob@...> wrote: > > Currently me and my collegues are farily close to introducing Nexus in our > company. But before we are allowed to buy/use it, our security department > has to agree with it. They have asked about possible backdoors in Nexus and > about the security policy of Nexus. What happens when a security issue is > discovered? How are users notified and what about the availability of > patches? > > Can someone from Sonatype give some more info about this? > > Thanks in advance for your reaction(s), > > Rob ten Hove > > -- > View this message in context: http://www.nabble.com/Nexus-security-tp25925323p25925323.html > Sent from the Nexus Maven Repository Manager Users List mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: nexus-user-unsubscribe@... > For additional commands, e-mail: nexus-user-help@... > > --------------------------------------------------------------------- To unsubscribe, e-mail: nexus-user-unsubscribe@... For additional commands, e-mail: nexus-user-help@... |
|
|
Re: Nexus security
by Brian Fox
::
Rate this Message:
I didn't directly address the backdoor question: There are no built in
backdoors to the system. All the core and security code is oss and available for inspection to validate that statement. The Pro version builds upon the Core and adds new plugins but doesn't alter the core or security code. (Ldap and Crowd simply introduce new realm implementations) On Fri, Oct 16, 2009 at 9:51 AM, Brian Fox <brianf@...> wrote: > If we uncover or are notified of any issues that potentially affect > production systems, we notify the user list (and the pro user list) > right away and provide patches as soon as possible. This has happened > only a few times in the past with scheduled task problems or > conditions we've uncovered that could cause out of memory errors. > > We use Nexus to host our own repository and always run releases there > for several days minimum before publishing a release, so that helps us > discover any potential issues before it ever hit's the download site. > > On Fri, Oct 16, 2009 at 7:19 AM, Rob ten Hove <rob@...> wrote: >> >> Currently me and my collegues are farily close to introducing Nexus in our >> company. But before we are allowed to buy/use it, our security department >> has to agree with it. They have asked about possible backdoors in Nexus and >> about the security policy of Nexus. What happens when a security issue is >> discovered? How are users notified and what about the availability of >> patches? >> >> Can someone from Sonatype give some more info about this? >> >> Thanks in advance for your reaction(s), >> >> Rob ten Hove >> >> -- >> View this message in context: http://www.nabble.com/Nexus-security-tp25925323p25925323.html >> Sent from the Nexus Maven Repository Manager Users List mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: nexus-user-unsubscribe@... >> For additional commands, e-mail: nexus-user-help@... >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: nexus-user-unsubscribe@... For additional commands, e-mail: nexus-user-help@... |
|
|
Re: Nexus security
by Rob ten Hove
::
Rate this Message:
Brian, thanks for your quick reaction. I will present your explanation to our security department.
Kind regards, Rob
|
| Free embeddable forum powered by Nabble | Forum Help |
