Return-Path: Delivered-To: apmail-ant-dev-archive@www.apache.org Received: (qmail 85871 invoked from network); 26 Oct 2004 09:24:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 26 Oct 2004 09:24:05 -0000 Received: (qmail 69176 invoked by uid 500); 26 Oct 2004 09:24:02 -0000 Delivered-To: apmail-ant-dev-archive@ant.apache.org Received: (qmail 69128 invoked by uid 500); 26 Oct 2004 09:24:01 -0000 Mailing-List: contact dev-help@ant.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Ant Developers List" Reply-To: "Ant Developers List" Delivered-To: mailing list dev@ant.apache.org Received: (qmail 69107 invoked by uid 99); 26 Oct 2004 09:24:01 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Received: from [156.153.255.245] (HELO palrel10.hp.com) (156.153.255.245) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 26 Oct 2004 02:24:00 -0700 Received: from hplns3.hpl.hp.com (hplns3.hpl.hp.com [15.0.48.4]) by palrel10.hp.com (Postfix) with ESMTP id 809B11CC63 for ; Tue, 26 Oct 2004 02:23:59 -0700 (PDT) Received: from [15.144.25.135] (chamonix.hpl.hp.com [15.144.25.135]) by hplns3.hpl.hp.com (8.13.1/8.13.1/HPL-PA Hub) with ESMTP id i9Q9Nvfs014130 for ; Tue, 26 Oct 2004 02:23:57 -0700 (PDT) Message-ID: <417E17AD.90206@apache.org> Date: Tue, 26 Oct 2004 10:23:57 +0100 From: Steve Loughran User-Agent: Mozilla Thunderbird 0.7 (X11/20040615) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ant Developers List Subject: Re: validating content in Maven repositories Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Tue, 26 Oct 2004 07:56:37 +0200, Stefan Bodewig wrote: > This is in addition to Conor's remarks. > > On Fri, 22 Oct 2004, Steve Loughran wrote: > > > The only way to secure it is one of > > > > 1. checksums to live on an http server you trust > > 2. things to be signed by a CA you trust. > > things PGP signed by somebody you trust (or can build a chain of trust > to). bouncycastle.org has Java APIs to PGP IIRC. > > > Also, can/should we declare ourselves a CA and sign all our ant > > jars. > > I think we already have an ASF CA we used to create the cerificate for > https access to the Subversion repo. I may be wrong, though. > > Setting up a "real" CA is under active consideration, we even already > have some infrastructure pieces for it in Ben Laurie's bunker. We > could create certificates for signing the jars with them. In smartfrog you create your own CA just to sign all your jars, and sign and encrypt all (RMI) communications. To actually install the runtime you need to copy in the list of trusted CAs, and every node needs a copy of the (private) key used for inter-node communications. I will talk to the security person when I get a chance to find out more about JAR signing. > > Personally I'm happy with PGP. A CA in the end has similar trust > issues as a PGP key. Why should I trust the CA more than Antoine's or > Magesh's PGP key? you can't. We have our own CA at work for signing mail and sites, incidentally. You need to add it to all your browsers to do things like find out why travel expenses havent been paid. What we can do with a CA is work with normal jar signing; we could sign all the jar files we stick up on the repository with the ant key and so verify on download. > We certainly need a better web of trust. As many committers (or users > for that matter) as possible should create PGP keys and use every > opportunity to cross sign the keys of people they meet. > agreed. I guess I should do one. Is there somewhere where we keep the keys? --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org For additional commands, e-mail: dev-help@ant.apache.org