incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: status of PGP support in Maven
Date Mon, 22 Sep 2008 14:12:06 GMT
On 22/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
> The only reason I suggested including the sigs in the source distro is
>  because a source build like Apache ServiceMix depends on hundreds of
>  third party dependencies.. so an end user would need to end up
>  trusting LOTs different signatures to get ServiceMix to build.
>
>  It would be easier if the end user could just trust the Apache source
>  distro and also transitively trust the signatures that we trust for
>  our dependencies.
>

So effectively you are proposing a secondary indirect signature for
each of those artefacts.

But instead of signing the checksum list, why not generate signatures
for the artefacts themselves and check those?

You could then store the Apache sigs in the Maven repo, and they would
then be available to all Apache projects - and to any others who
decided to trust the Apache key.

>  The end user would still need to manually validate the source distro signature.
>

I can see that it would be an improvement over the existing Maven
situation, but for me it does not go far enough.

The problem is that the process of generating the checksum list does
not scale well, and it forces every project to use fixed versions for
each dependency.

>  Regards,
>
> Hiram
>
>
>  On Sat, Sep 20, 2008 at 1:08 PM, Henning Schmiedehausen
>  <henning@apache.org> wrote:
>
> > On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote:
>  >> On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz
>  >> <justin@erenkrantz.com> wrote:
>  >> > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <hiram@hiramchirino.com>
wrote:
>  >> >> How about we include the signatures in the source distros?  That way
>  >> >> if you trust your source, then you can trust the dependencies it
>  >> >> downloads.
>  >> >
>  >> > Eww.  That'd be a giant gaping security hole.
>  >>
>  >> not necessarily, depends how it's done
>  >>
>  >> signing works through trusting the people who own the keys. given
>  >> sufficient signaturees (to prevent small conspiracies), where the
>  >> signatures are downloaded from shouldn't matter.
>  >
>  > Hiram suggested to put the signatures into the source, which in turn is
>  > also distributed from the repo. If you compromise the repo and change
>  > the artifact, it is trivial to update the source artifact to contain a
>  > matching signature.
>  >
>  > This is a security hole. And I don't really care for some of the
>  > proposed "high nineties" security solutions. Either a solution is secure
>  > or it is not. Everything else is just FUD.
>  >
>  > The problem with the central repo is that you need an easy accessible
>  > web of trust if you want validation. The Apache web of trust is
>  > distributed and an overlay to the GPG web of trust. But if you live in
>  > Juneau, Alaska, it is hard for you to access it and get a trust
>  > relationship to it.
>  >
>  > There is a (bit rusty) proposal on how to improve this at
>  > http://people.apache.org/~henkp/trust/
>  >
>  >        Ciao
>  >                Henning
>  >
>  >
>  >
>  > ---------------------------------------------------------------------
>  > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>  > For additional commands, e-mail: general-help@incubator.apache.org
>  >
>  >
>
>
>
>
> --
>  Regards,
>  Hiram
>
>  Blog: http://hiramchirino.com
>
>  Open Source SOA
>  http://open.iona.com
>
>  ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>  For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message