incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: status of PGP support in Maven
Date Thu, 18 Sep 2008 00:59:01 GMT
Something else that needs to be considered is what happens if
someone's private key in the web of trust gets compromised?
Once compromised. malicious releases could get re-rolled, and deployed.

I think GPG would be good to validate an initial dependency/checksum
for an artifact, but after that future builds should validate against
the artifact checksum.

Regards,
Hiram

On Mon, Sep 15, 2008 at 2:00 PM, Robert Burrell Donkin
<robertburrelldonkin@gmail.com> wrote:
> On Mon, Sep 15, 2008 at 3:40 PM, William A. Rowe, Jr.
> <wrowe@rowe-clan.net> wrote:
>> Brett Porter wrote:
>>>
>>> For the releases to be identified as from the incubator, they'll need to
>>> be
>>> signed solely by "the incubator". Did you want to elaborate on how you
>>> anticipated that set up working?
>>
>> With PGP it's a web of trust.  Any ASF-role key would never be used to sign
>> any artifact.  Ideally, ASF-key would sign incubator key, incubator key
>> would sign Jane's key, Jane would RM and sign with her own key, and the web
>> of trust satisfies the trust requirement.
>
> i think that this approach would require a shadow web for incubator keys
>
> suppose:
>
> alice is an apache committer
> alice has key K which is commented "APACHE CODE SIGNING KEY"
> alice is elected release manager for incubator podling P
> alice would need to create a new key S which is commented "INCUBATOR
> RELEASES ONLY"
> alice adds S to an incubator KEYS document
>
> then alice should ensure that S (not K) is the only key used to sign
> the release for P
>
> - robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>



-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message