incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 20:53:12 GMT
Hiram, I wish you would desist already from debating positions that you
can't defend...

Hiram Chirino wrote:
> On Thu, Sep 18, 2008 at 3:07 PM, sebb <sebbaz@gmail.com> wrote:
>> On 18/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
>>> So the responsibility is still on us, the upstream distributor, to
>>>  verify the the checksums we list in our source distro are correct.
>> And how do we do that?
>> We cannot use the Maven repo as it has already been compromised.
> 
> If you are a totally paranoid, you would build all the dependencies
> your self and use those checksums.  :)  Since that's not practical,
> you have to trust that an artifact on a maven repo has not been
> hacked.. or even validate it has not been hacked (perhaps the project
> provides a separate website with the checksums of the artifacts).

www.apache.org has been breached at least once in it's history.  Over the
course of the next 100 years, it will likely happen once again.  You have
two ASF machines and two maven machines in the matrix, the DNS and www
servers of both ASF and the maven host.  That's four vectors already.
I'm not even going into other upstream hosts.

If it were cracked again, MD5 signatures would not be trusted, and all of
those resources would be wiped if there were no gpg keys available to
validate the packages.

At least, you design for this scenario and pray that doesn't happen.

Hiram Chirino wrote:
 >
 > Yes, but that kind of attack would only affect me if It's the first
 > time I'm creating a dependency to that artifact.  Further more, other
 > existing users of the artifact would detect the artifact replacement,
 > and act to get the problem corrected.  I consider the checksum
 > solution very similar to how SSH work in asking you to verify your
 > initial connection to a host.  It's not 100% secure, but in practical
 > use, it's in the high 90s.  :)

Using SHA-384 and higher?  Or MD5?  MD5 can be cracked resulting in a
same sized object.

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message