incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 18:22:06 GMT
Gilles Scokart wrote:

> Noel J. Bergman:
> > Implement that, and we're fine.  We will
> > require Incubator artifacts to be signed by a designated key available
to
> > the PMC, and once a user has acknowledged that they accept such
Incubator
> > signed artifacts, maven can do what it wants with them.
>
>        --- Noel

> Is that really possible?

Very.

> I remember some discussion on the infra list about an ASF wide signature.
> And the conclusion was always the same: how to secure a key that can be
> used by so many people.  If I remember well, some solution were proposed,
> but they were quiet heavy.  Do we have a solution for that?

There are various things that can be done with respect to key management.
Personally, I would not go with a single key.  But maven ought to maintain a
trust file, with options to accept files that are signed with a trusted key,
or signed by a key that is signed by a trusted key, etc.  The first thing
that has to happen is for the Maven PMC to make security a priority.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message