incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Sat, 31 May 2008 19:11:23 GMT

On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:

> On Sat, May 31, 2008 at 3:42 AM, Brett Porter  
> <brett.porter@gmail.com> wrote:
>> 2008/5/31 Brian E. Fox <brianf@reply.infinity.nu>:
>>> Can you elaborate more on what you mean here? I've been on the  
>>> Maven PMC
>>> for over a year now and this is the first I've heard of it.
>>>
>>> We do support signing of artifacts and all the maven releases are
>>> signed. We obviously don't control all the other Apache projects  
>>> in a
>>> way to enforce that they sign their artifacts.
>>
>> Noel is referring to enforcing checking signatures, not signing them.
>> I've had a proposal out there for some time which anyone is free to
>> comment on: http://docs.codehaus.org/display/MAVEN/Repository 
>> +Security
>>
>> There hasn't been a lot of traction behind it so far. Ease of use,
>> especially OOTB, is probably one of the main concerns.
>
> IMO this isn't really a maven issue: basic checks should be performed
> on all releases. i favour a private subversion repository with custom
> hooks for release publishing.

I think that maven basically changes the equation, since it is  
responsible for automatically downloading artifacts, and this feature  
is a huge usability win. I think that currently, usability trumps  
security.

Since maven automatically downloads artifacts, it's technically  
feasible for maven to verify the signatures of those artifacts and  
allow for control by the user over whether or not to trust the  
artifacts.

For example, "trust all unsigned", "trust all signed", "trust all  
signed in Apache WOT" might be reasonable policies declared by the user.

Craig
>
>
> - robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message