incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 14:11:44 GMT

On Sep 24, 2008, at 3:44 PM, Hiram Chirino wrote:

> On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen
> <henning@apache.org> wrote:
>> On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
>>> On Mon, Sep 22, 2008 at 10:12 AM, sebb <sebbaz@gmail.com> wrote:
>>>> On 22/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
>>>>> The only reason I suggested including the sigs in the source  
>>>>> distro is
>>>>> because a source build like Apache ServiceMix depends on  
>>>>> hundreds of
>>>>> third party dependencies.. so an end user would need to end up
>>>>> trusting LOTs different signatures to get ServiceMix to build.
>>>>>
>>>>> It would be easier if the end user could just trust the Apache  
>>>>> source
>>>>> distro and also transitively trust the signatures that we trust  
>>>>> for
>>>>> our dependencies.
>>>>>
>>>>
>>>
>>> I actually meant to say include the pub key for the dependency in  
>>> the
>>> source distro.
>>
>> How do you validate that the pub key presented to you is genuine?  
>> What
>> you currently proposing is
>>
>> src-artifact <- signed with A's privkey, validated with A's pubkey
>>
>> A's pubkey is inside src-artifact.
>
> NO I'm not.  I'm saying that A artifact has 100 dependencies by say 30
> different signers.. we include
> those 30 pub keys in the src-artifact.  NOT the A key!
>
> You have to validate the A source distro the same way you would
> validate an ANT based build source distro today.

Ok we can do something where the X +1's issued are sent to a keyserver  
along with the OK of a PMC member or human gate (as one does not want  
to also automate veto counting) or similar - together with the md5/ 
sha1. And returned is the later hash signed by some rolling apache key  
or x509.

Thanks,

Dw

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message