incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <henn...@apache.org>
Subject Re: [DISCUSS] Do we really need an incubator?
Date Tue, 15 Jul 2008 10:34:49 GMT
On Mon, 2008-07-07 at 17:06 -0700, Roy T. Fielding wrote:

> Yes, it would be nice if Maven was more secure, properly checked
> signatures, and properly delegated namespaces so that third-parties
> would be unable to add artifacts within other org's trees.  None of
> those issues are specific to incubator.

In the light of these reports:

http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
http://www.heise.de/newsticker/Bericht-Paket-Management-Systeme-unter-Linux-nur-bedingt-vertrauenswuerdig--/meldung/110908/

the question on attacks on the maven repository is probably no longer
"how" but only "when". These are attacks on Linux repositories, which
might be larger and more distributed than the maven repos, but the
jackpot of cracking *the* central Java artifact distribution center
would probably be bigger than getting a few thousand Linux systems to
run a repo delivered backdoor. 

This is definitely an issue that needs resolving sooner than later.

	Ciao
		Henning



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message