Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 30704 invoked from network); 3 Jun 2008 11:40:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Jun 2008 11:40:10 -0000 Received: (qmail 91388 invoked by uid 500); 3 Jun 2008 11:40:12 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 91029 invoked by uid 500); 3 Jun 2008 11:40:11 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 91018 invoked by uid 99); 3 Jun 2008 11:40:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jun 2008 04:40:11 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of robertburrelldonkin@gmail.com designates 64.233.184.227 as permitted sender) Received: from [64.233.184.227] (HELO wr-out-0506.google.com) (64.233.184.227) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jun 2008 11:39:22 +0000 Received: by wr-out-0506.google.com with SMTP id c46so531559wra.18 for ; Tue, 03 Jun 2008 04:39:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=fEozypijHkJt//Cmp0/30rHa0S2nwzJSKlvs6pq3kwQ=; b=cLXkhlvIUBQsCd2n3oRv/74lVk4S+EEC1SHaZlSt9o5zy/ZXcobw6nlHSy9fhNKJsASvlHNTI0k5Uh5xj0dmdOYS/9q5meKuysKZS+B4o+B236anLjA5IhTml/07LEAK0IbKFKQ3h9ZAOSh35SfZ/0Z6AoPLETcvhCOdwgp5i6Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ltU3z2EYm6Bcy1I0jP+Nv18Luv3C2D/1BJUyLEoqlt3+XjlXmue6+op/dRQYVeWxmXnaOjoNueZ0ZIsHnMj2TC7zzxPu48mOG9icCtrZBz4gbsZt35X/8f+5a1pY/Kur5dcS6ovy5ZRL9R4AU+QSvujWEqBSG6F+w44R3K1+t14= Received: by 10.142.89.13 with SMTP id m13mr4054893wfb.338.1212493178719; Tue, 03 Jun 2008 04:39:38 -0700 (PDT) Received: by 10.143.123.3 with HTTP; Tue, 3 Jun 2008 04:39:38 -0700 (PDT) Message-ID: Date: Tue, 3 Jun 2008 12:39:38 +0100 From: "Robert Burrell Donkin" To: general@incubator.apache.org Subject: Re: enforced signing of artifacts, [was maven repository] In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Virus-Checked: Checked by ClamAV on apache.org On 6/3/08, Gilles Scokart wrote: > I thought this thread started with the idea : if maven would be able > to validate signature, we could use this feature to inform someone > that he is using incubator artefacts. > I thought the idea that launched this thread was to have a unique key > for the incubator that the user has as to trust if he want to use > incubator artefacts. Stated like that then the artifact would need to be encrypted > My question was in that context. AIUI maven decided against enforcing download verification. So requires the maven team developing this feature first. Robert > > 2008/6/2 Noel J. Bergman : >> Gilles Scokart wrote: >> >>> Noel J. Bergman: >>> > Implement that, and we're fine. We will >>> > require Incubator artifacts to be signed by a designated key available >> to >>> > the PMC, and once a user has acknowledged that they accept such >> Incubator >>> > signed artifacts, maven can do what it wants with them. >>> >>> --- Noel >> >>> Is that really possible? >> >> Very. >> >>> I remember some discussion on the infra list about an ASF wide signature. >>> And the conclusion was always the same: how to secure a key that can be >>> used by so many people. If I remember well, some solution were proposed, >>> but they were quiet heavy. Do we have a solution for that? >> >> There are various things that can be done with respect to key management. >> Personally, I would not go with a single key. But maven ought to maintain >> a >> trust file, with options to accept files that are signed with a trusted >> key, >> or signed by a key that is signed by a trusted key, etc. The first thing >> that has to happen is for the Maven PMC to make security a priority. >> >> --- Noel >> > > -- > Gilles Scokart > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > For additional commands, e-mail: general-help@incubator.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org