incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Carman" <ja...@carmanconsulting.com>
Subject Re: status of PGP support in Maven
Date Mon, 22 Sep 2008 13:57:02 GMT
Eclipse does something like this, doesn't it?  When you install a
plugin, it asks you to accept the license terms for all the stuff
that's being imported.  Couldn't maven do something similar?

On Mon, Sep 22, 2008 at 9:34 AM, Hiram Chirino <hiram@hiramchirino.com> wrote:
> The only reason I suggested including the sigs in the source distro is
> because a source build like Apache ServiceMix depends on hundreds of
> third party dependencies.. so an end user would need to end up
> trusting LOTs different signatures to get ServiceMix to build.
>
> It would be easier if the end user could just trust the Apache source
> distro and also transitively trust the signatures that we trust for
> our dependencies.
>
> The end user would still need to manually validate the source distro signature.
>
> Regards,
> Hiram
>
> On Sat, Sep 20, 2008 at 1:08 PM, Henning Schmiedehausen
> <henning@apache.org> wrote:
>> On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote:
>>> On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz
>>> <justin@erenkrantz.com> wrote:
>>> > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <hiram@hiramchirino.com>
wrote:
>>> >> How about we include the signatures in the source distros?  That way
>>> >> if you trust your source, then you can trust the dependencies it
>>> >> downloads.
>>> >
>>> > Eww.  That'd be a giant gaping security hole.
>>>
>>> not necessarily, depends how it's done
>>>
>>> signing works through trusting the people who own the keys. given
>>> sufficient signaturees (to prevent small conspiracies), where the
>>> signatures are downloaded from shouldn't matter.
>>
>> Hiram suggested to put the signatures into the source, which in turn is
>> also distributed from the repo. If you compromise the repo and change
>> the artifact, it is trivial to update the source artifact to contain a
>> matching signature.
>>
>> This is a security hole. And I don't really care for some of the
>> proposed "high nineties" security solutions. Either a solution is secure
>> or it is not. Everything else is just FUD.
>>
>> The problem with the central repo is that you need an easy accessible
>> web of trust if you want validation. The Apache web of trust is
>> distributed and an overlay to the GPG web of trust. But if you live in
>> Juneau, Alaska, it is hard for you to access it and get a trust
>> relationship to it.
>>
>> There is a (bit rusty) proposal on how to improve this at
>> http://people.apache.org/~henkp/trust/
>>
>>        Ciao
>>                Henning
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
>
>
> --
> Regards,
> Hiram
>
> Blog: http://hiramchirino.com
>
> Open Source SOA
> http://open.iona.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message