incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Tue, 03 Jun 2008 11:39:38 GMT
On 6/3/08, Gilles Scokart <gscokart@gmail.com> wrote:
> I thought this thread started with the idea : if maven would be able
> to validate signature, we could use this feature to inform someone
> that he is using incubator artefacts.
> I thought the idea that launched this thread was to have a unique key
> for the incubator that the user has as to trust if he want to use
> incubator artefacts.

Stated like that then the artifact would need to be encrypted
> My question was in that context.

AIUI maven decided against enforcing download verification. So
requires the maven team developing this feature first.

Robert
>
> 2008/6/2 Noel J. Bergman <noel@devtech.com>:
>> Gilles Scokart wrote:
>>
>>> Noel J. Bergman:
>>> > Implement that, and we're fine.  We will
>>> > require Incubator artifacts to be signed by a designated key available
>> to
>>> > the PMC, and once a user has acknowledged that they accept such
>> Incubator
>>> > signed artifacts, maven can do what it wants with them.
>>>
>>>        --- Noel
>>
>>> Is that really possible?
>>
>> Very.
>>
>>> I remember some discussion on the infra list about an ASF wide signature.
>>> And the conclusion was always the same: how to secure a key that can be
>>> used by so many people.  If I remember well, some solution were proposed,
>>> but they were quiet heavy.  Do we have a solution for that?
>>
>> There are various things that can be done with respect to key management.
>> Personally, I would not go with a single key.  But maven ought to maintain
>> a
>> trust file, with options to accept files that are signed with a trusted
>> key,
>> or signed by a key that is signed by a trusted key, etc.  The first thing
>> that has to happen is for the Maven PMC to make security a priority.
>>
>>        --- Noel
>>
>
> --
> Gilles Scokart
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message