incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 20:21:19 GMT
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
<wrowe@rowe-clan.net> wrote:
> Hiram Chirino wrote:
>>
>> So the responsibility is still on us, the upstream distributor, to
>> verify the the checksums we list in our source distro are correct.
>> But at least by doing this, down stream users of our source distros
>> can rest assured that the dependencies that they are using are the
>> correct ones.
>
> Not if there is a man in the middle attack.  If you didn't notice the
> recent noise w.r.t. DNS pollution, that's the very point of that vector.
> Had it been exploited, tens of thousands of download users could have
> been presented with inauthentic maven artifacts, complete with their
> freshly corresponding checksums.  Welcome to the internet.

Yes, but that kind of attack would only affect me if It's the first
time I'm creating a dependency to that artifact.  Further more, other
existing users of the artifact would detect the artifact replacement,
and act to get the problem corrected.  I consider the checksum
solution very similar to how SSH work in asking you to verify your
initial connection to a host.  It's not 100% secure, but in practical
use, it's in the high 90s.  :)

-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message