incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 13:44:36 GMT
On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen
<henning@apache.org> wrote:
> On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
>> On Mon, Sep 22, 2008 at 10:12 AM, sebb <sebbaz@gmail.com> wrote:
>> > On 22/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
>> >> The only reason I suggested including the sigs in the source distro is
>> >>  because a source build like Apache ServiceMix depends on hundreds of
>> >>  third party dependencies.. so an end user would need to end up
>> >>  trusting LOTs different signatures to get ServiceMix to build.
>> >>
>> >>  It would be easier if the end user could just trust the Apache source
>> >>  distro and also transitively trust the signatures that we trust for
>> >>  our dependencies.
>> >>
>> >
>>
>> I actually meant to say include the pub key for the dependency in the
>> source distro.
>
> How do you validate that the pub key presented to you is genuine? What
> you currently proposing is
>
> src-artifact <- signed with A's privkey, validated with A's pubkey
>
> A's pubkey is inside src-artifact.

NO I'm not.  I'm saying that A artifact has 100 dependencies by say 30
different signers.. we include
those 30 pub keys in the src-artifact.  NOT the A key!

You have to validate the A source distro the same way you would
validate an ANT based build source distro today.


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message