incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <henn...@apache.org>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 05:27:10 GMT
On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
> On Mon, Sep 22, 2008 at 10:12 AM, sebb <sebbaz@gmail.com> wrote:
> > On 22/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
> >> The only reason I suggested including the sigs in the source distro is
> >>  because a source build like Apache ServiceMix depends on hundreds of
> >>  third party dependencies.. so an end user would need to end up
> >>  trusting LOTs different signatures to get ServiceMix to build.
> >>
> >>  It would be easier if the end user could just trust the Apache source
> >>  distro and also transitively trust the signatures that we trust for
> >>  our dependencies.
> >>
> >
> 
> I actually meant to say include the pub key for the dependency in the
> source distro.

How do you validate that the pub key presented to you is genuine? What
you currently proposing is

src-artifact <- signed with A's privkey, validated with A's pubkey

A's pubkey is inside src-artifact.

So you extract the pubkey from the src-artifact and use it to validate
that the src-artifact is really genuine.

(Bonus points for spotting the circle).

Alternative scenario:

bin-artifact <- signed with A's privkey, validated with A's pubkey

A's pubkey is inside src-artifact.

AIUI, you propose to download the src-artifact, extract the pubkey and
validate that the bin-artifact is genuine.

How do you trust that the src-artifact was not tampered with?

	Ciao
		Henning




---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message