Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 41337 invoked from network); 18 Sep 2008 19:08:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 18 Sep 2008 19:08:16 -0000 Received: (qmail 45496 invoked by uid 500); 18 Sep 2008 19:08:11 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 45365 invoked by uid 500); 18 Sep 2008 19:08:11 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 45353 invoked by uid 99); 18 Sep 2008 19:08:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Sep 2008 12:08:11 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sebbaz@gmail.com designates 72.14.220.158 as permitted sender) Received: from [72.14.220.158] (HELO fg-out-1718.google.com) (72.14.220.158) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Sep 2008 19:07:09 +0000 Received: by fg-out-1718.google.com with SMTP id l26so309386fgb.26 for ; Thu, 18 Sep 2008 12:07:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=uBNdMPh8WK/HryT6wIqiZ/0oBm1dqDZ42H5Iqe5olLA=; b=vuctg2PCK/saGNbjo8XVRWt5pBIjaYdtW14kwaUIWGKJy5OpaSGYnIQ+xXkp/YZ2tZ yNJToW4lL1LEcU4hC7cQgc6wm/+FEzwNZndYgyy81+RnIzJzYaZ4KpBpbxGuvDdGo/Hp GiWqJsVemuK8ndwTy0+TFrBEFT27AMnVw1I/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=CI2VSOETOGrAw5Z5FziDikk3/V1yjUx4H9GtsqenTDEr+6aGjriu0EY53f+wMPoQY1 vA9uJGFU8vDPyFL/9MrHtUNr1cZj5hGs7m3hqUdJ63W1gdLg13MWuH54DDgnHO//FQmL QwaR+dsiEYKcQXN9ZfuErS7TXFfVx0IJooQaA= Received: by 10.86.68.1 with SMTP id q1mr1114491fga.2.1221764844211; Thu, 18 Sep 2008 12:07:24 -0700 (PDT) Received: by 10.86.65.7 with HTTP; Thu, 18 Sep 2008 12:07:24 -0700 (PDT) Message-ID: <25aac9fc0809181207o417967eft7a5ee1127fb90956@mail.gmail.com> Date: Thu, 18 Sep 2008 20:07:24 +0100 From: sebb To: general@incubator.apache.org Subject: Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository] In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200809170657.47757.dkulp@apache.org> <1221696340.25066.4.camel@forge.local> <48D1AB65.2050603@rowe-clan.net> <19e0530f0809171825k36681f7dqde8160e343c3d20@mail.gmail.com> <48D1B1E8.3010700@rowe-clan.net> <25aac9fc0809180759y797f8addx8812ea873ac7abcd@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org On 18/09/2008, Hiram Chirino wrote: > On Thu, Sep 18, 2008 at 10:59 AM, sebb wrote: > > On 18/09/2008, Hiram Chirino wrote: > >> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr. > >> > >> wrote: > >> > >> > Similarly, the issue of signature validation is a significant flaw which > >> > I also hope maven addresses even more promptly, and which they are aware > >> > of. The alternatives are to take down maven until it is secure, or to > >> > continue to populate maven with various released artifacts. And this too > >> > isn't germane to the question above, which is; > >> > >> > >> The signature validation issue has a simple fix which I have already > >> mentioned earlier. I'm not sure why folks continue to think it's > >> still a problem. All the projects need to do is enable a checksum > >> validation plugin, and at least that problem is resolved. > >> > > > > Not sure I agree that the checksum plugin solves the problem. > > > > As far as I can tell, all that the plugin does is to detect any > > changes to dependencies that occur *after the checksum list is > > initially generated* > > > Agreed. > > > > > > Unless I'm mistaken, it does not guard against the orignal dependency > > already being corrupt, nor does it protect the product itself. > > > > > So the responsibility is still on us, the upstream distributor, to > verify the the checksums we list in our source distro are correct. And how do we do that? We cannot use the Maven repo as it has already been compromised. > But at least by doing this, down stream users of our source distros > can rest assured that the dependencies that they are using are the > correct ones. Only if our distro has not had its checksum list hacked. > If a committer by mistake adds an invalid checksum for an artifact > that he been hacked in his repo, hopefully, another developer doing > the build will notice that the build fails due to checksum error if he > has the valid artifact. At that point they can investigate who has > the valid copy of the artifact. The more users that are building the > software with the checksum validation, the better of chance you got at > some one noticing a hacked repo artifact. Depends on when the hacked version was uploaded. It's quite possible that every ASF use of the module will be after the original hack. > If by chance all repos being used only have the hacked version of the > artifact and, no one notices it hacked and we release with that.. then > that would be a serious issue yes. I think we should handle that like Which is what we should protect against from the start. > we would handle any serious security flaw in our products. Re-release > with the flaw (checksum) corrected and advise all our users to > upgrade. > > On a side note.. a GPG web of trust would help in trusting the > original binary checksum. Note that down stream users of our source > distro may not trust people we trust, so they may want those checksums > anyways. How? By signing the checksum? If so, fine, but then why not just sign the jar. > > > What's to stop the checksum list being corrupted? Any comment on this? > > > >> > >> -- > >> Regards, > >> Hiram > >> > >> Blog: http://hiramchirino.com > >> > >> Open Source SOA > >> http://open.iona.com > >> > >> --------------------------------------------------------------------- > >> > >> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > >> For additional commands, e-mail: general-help@incubator.apache.org > >> > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > > For additional commands, e-mail: general-help@incubator.apache.org > > > > > > > > > -- > > Regards, > Hiram > > Blog: http://hiramchirino.com > > Open Source SOA > http://open.iona.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > For additional commands, e-mail: general-help@incubator.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org