incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 18:40:21 GMT
On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <> wrote:
> On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
>> On Sat, May 31, 2008 at 3:42 AM, Brett Porter <>
>> wrote:
>>> 2008/5/31 Brian E. Fox <>:
>>>> Can you elaborate more on what you mean here? I've been on the Maven PMC
>>>> for over a year now and this is the first I've heard of it.
>>>> We do support signing of artifacts and all the maven releases are
>>>> signed. We obviously don't control all the other Apache projects in a
>>>> way to enforce that they sign their artifacts.
>>> Noel is referring to enforcing checking signatures, not signing them.
>>> I've had a proposal out there for some time which anyone is free to
>>> comment on:
>>> There hasn't been a lot of traction behind it so far. Ease of use,
>>> especially OOTB, is probably one of the main concerns.
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
> I think that maven basically changes the equation, since it is responsible
> for automatically downloading artifacts, and this feature is a huge
> usability win. I think that currently, usability trumps security.
> Since maven automatically downloads artifacts, it's technically feasible for
> maven to verify the signatures of those artifacts and allow for control by
> the user over whether or not to trust the artifacts.
> For example, "trust all unsigned", "trust all signed", "trust all signed in
> Apache WOT" might be reasonable policies declared by the user.


- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message