ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: validating content in Maven repositories
Date Tue, 26 Oct 2004 09:23:57 GMT




On Tue, 26 Oct 2004 07:56:37 +0200, Stefan Bodewig <bodewig@apache.org> 
wrote:
 > This is in addition to Conor's remarks.
 >
 > On Fri, 22 Oct 2004, Steve Loughran <stevel@apache.org> wrote:
 >
 > > The only way to secure it is one of
 > >
 > > 1. checksums to live on  an http server you trust
 > > 2. things to be signed by a CA you trust.
 >
 > things PGP signed by somebody you trust (or can build a chain of trust
 > to).  bouncycastle.org has Java APIs to PGP IIRC.
 >
 > > Also, can/should we declare ourselves a CA and sign all our ant
 > > jars.
 >
 > I think we already have an ASF CA we used to create the cerificate for
 > https access to the Subversion repo.  I may be wrong, though.
 >
 > Setting up a "real" CA is under active consideration, we even already
 > have some infrastructure pieces for it in Ben Laurie's bunker.  We
 > could create certificates for signing the jars with them.


In smartfrog you create  your own CA just to sign all your jars, and 
sign and encrypt all (RMI) communications. To actually install the 
runtime you need to copy in the list of trusted CAs, and every node 
needs a copy of the (private) key used for inter-node communications.

I will talk to the security person when I get a chance to find out more 
about JAR signing.

 >
 > Personally I'm happy with PGP.  A CA in the end has similar trust
 > issues as a PGP key.  Why should I trust the CA more than Antoine's or
 > Magesh's PGP key?

you can't. We have our own CA at work for signing mail and sites, 
incidentally. You need to add it to all your browsers to do things like 
find out why travel expenses havent been paid.


What we can do with a CA is work with normal jar signing; we could sign 
all the jar files we stick up on the repository with the ant key and so 
verify on download.

 > We certainly need a better web of trust.  As many committers (or users
 > for that matter) as possible should create PGP keys and use every
 > opportunity to cross sign the keys of people they meet.
 >

agreed. I guess I should do one. Is there somewhere where we keep the keys?


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message