incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian E. Fox" <bri...@reply.infinity.nu>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 19:31:54 GMT
I think this thread belongs on the Maven lists as it's is only
tangential to the decision about the incubator repository. 

The process for getting new features included is to write a proposal and
put it on the wiki [1] and then email the dev list to begin a
discussion. There are some good ideas here but they need to be flushed
out by the Maven community as a whole.


[1] https://docs.codehaus.org/display/MAVENUSER/User+Proposals

-----Original Message-----
From: Robert Burrell Donkin [mailto:robertburrelldonkin@gmail.com] 
Sent: Monday, June 02, 2008 2:40 PM
To: general@incubator.apache.org
Subject: Re: enforced signing of artifacts, [was maven repository]

On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <Craig.Russell@sun.com>
wrote:
>
> On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
>
>> On Sat, May 31, 2008 at 3:42 AM, Brett Porter
<brett.porter@gmail.com>
>> wrote:
>>>
>>> 2008/5/31 Brian E. Fox <brianf@reply.infinity.nu>:
>>>>
>>>> Can you elaborate more on what you mean here? I've been on the
Maven PMC
>>>> for over a year now and this is the first I've heard of it.
>>>>
>>>> We do support signing of artifacts and all the maven releases are
>>>> signed. We obviously don't control all the other Apache projects in
a
>>>> way to enforce that they sign their artifacts.
>>>
>>> Noel is referring to enforcing checking signatures, not signing
them.
>>> I've had a proposal out there for some time which anyone is free to
>>> comment on:
http://docs.codehaus.org/display/MAVEN/Repository+Security
>>>
>>> There hasn't been a lot of traction behind it so far. Ease of use,
>>> especially OOTB, is probably one of the main concerns.
>>
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
>
> I think that maven basically changes the equation, since it is
responsible
> for automatically downloading artifacts, and this feature is a huge
> usability win. I think that currently, usability trumps security.
>
> Since maven automatically downloads artifacts, it's technically
feasible for
> maven to verify the signatures of those artifacts and allow for
control by
> the user over whether or not to trust the artifacts.
>
> For example, "trust all unsigned", "trust all signed", "trust all
signed in
> Apache WOT" might be reasonable policies declared by the user.

+1

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message