incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: status of PGP support in Maven
Date Mon, 22 Sep 2008 18:38:10 GMT
On 21/09/2008, Henning Schmiedehausen <henning@schmiedehausen.org> wrote:
>
>  On Sat, 2008-09-20 at 19:52 +0200, Jukka Zitting wrote:
>  > HI,
>  >
>  > On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen
>  > <henning@apache.org> wrote:
>  > > Hiram suggested to put the signatures into the source, which in turn is
>  > > also distributed from the repo.
>  >
>  > It's not. The sources you build come either from svn or from a signed
>  > release package.
>
>
> What is a signed release package? If I can compromise the repository and
>  change signatures on an artifact, I can also change the signatures and
>  contents on a "signed release package". That does not work.
>
>  In <af2843cd0809190612l26a03571iad65544edd954372@mail.gmail.com>:
>
>  Hiram> How about we include the signatures in the source distros?  That
>  Hiram> way if you trust your source, then you can trust the dependencies
>  Hiram> it downloads.
>
>  Sounds pretty clear to me. Your suggestion again requires that the
>  verifier goes back to a central, trusted repository (Single point of
>  failure)

AIUI, the checksum list will be part of the release, which will be
signed. Therefore it cannot be changed unless the signature is
changed. Validating the signature on the release is an essential part
of the process.

That's no different from validating a standard release.

> and even more, it requires some sort of convention on where and
>  how to store these signatures. Does not scale.

However I totally agree with that.

>  Folks, if distributed trust was easy, Trust Centers wouldn't make a
>  fortune selling signed keys from a central trust source ("Root
>  certificate").
>
>         Ciao
>
>                 Henning
>
>
>
>
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>  For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message