Return-Path: 
 <general-return-19672-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 95156 invoked from network); 18 Sep 2008 20:22:12 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 18 Sep 2008 20:22:11 -0000
Received: (qmail 94915 invoked by uid 500); 18 Sep 2008 20:22:07 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 94766 invoked by uid 500); 18 Sep 2008 20:22:06 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 94755 invoked by uid 99); 18 Sep 2008 20:22:06 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Sep 2008 13:22:06 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of chirino@gmail.com designates
 209.85.134.188 as permitted sender)
Received: from [209.85.134.188] (HELO mu-out-0910.google.com) (209.85.134.188)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Sep 2008 20:21:05 +0000
Received: by mu-out-0910.google.com with SMTP id w9so57017mue.0
        for <general@incubator.apache.org>;
 Thu, 18 Sep 2008 13:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:sender
         :to:subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references
         :x-google-sender-auth;
        bh=D2GA4tORVlId8VPff80bkU9h+XVxHvbeTOJ89RwM/Nw=;
        b=P/Sv6TKCupidQtXX/YpkT+nXV8Oc3NGEXpSvb3eEj7xyL/yJLTIrl7/VJ41+U9/Ncj
         a8hzcd5NHrNq2tuAAUvujtQIyPKEvlqelgOCOs86CrhUtKS51/ry0EjzPK6woZg237TC
         workFozBOo47VwjScyGUCL+DTT/2VJEQNxdLg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:sender:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references:x-google-sender-auth;
        b=xYAt0340vWLcu/j3fWABh2rgta7VXtIGLGFB4jPlHrwoN1yPP51yNQMkdMtmkxjfxV
         gsI3AL72hfqFpJHEJpiaKlu3O+Vw2A/FmiwOQlQPdK/hD4fFNmg2talb4tUjGUPhJC6L
         gx5NB8gyGCdGrYKK2wjse1X5qlKV9xAS0I+Xs=
Received: by 10.187.179.4 with SMTP id g4mr563324fap.25.1221769279726;
        Thu, 18 Sep 2008 13:21:19 -0700 (PDT)
Received: by 10.187.167.12 with HTTP; Thu, 18 Sep 2008 13:21:19 -0700 (PDT)
Message-ID: <af2843cd0809181321h20f2514er9941bdb7d5a85483@mail.gmail.com>
Date: Thu, 18 Sep 2008 16:21:19 -0400
From: "Hiram Chirino" <hiram@hiramchirino.com>
Sender: chirino@gmail.com
To: general@incubator.apache.org
Subject: Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release
 distribution channels like the central Maven repository]
In-Reply-To: <48D29D55.6060700@rowe-clan.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <fbdc6a970809161549r11bbcf8ewf3808ac3ee224112@mail.gmail.com>
	 <200809170657.47757.dkulp@apache.org>
	 <1221696340.25066.4.camel@forge.local>
	 <48D1AB65.2050603@rowe-clan.net>
	 <19e0530f0809171825k36681f7dqde8160e343c3d20@mail.gmail.com>
	 <48D1B1E8.3010700@rowe-clan.net>
	 <af2843cd0809180639u2f1b00acu1c42ef668c46c76f@mail.gmail.com>
	 <25aac9fc0809180759y797f8addx8812ea873ac7abcd@mail.gmail.com>
	 <af2843cd0809181100i5eef7c33k27f565a0ce4431a6@mail.gmail.com>
	 <48D29D55.6060700@rowe-clan.net>
X-Google-Sender-Auth: 730f05df4536b8fc
X-Virus-Checked: Checked by ClamAV on apache.org

On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
<wrowe@rowe-clan.net> wrote:
> Hiram Chirino wrote:
>>
>> So the responsibility is still on us, the upstream distributor, to
>> verify the the checksums we list in our source distro are correct.
>> But at least by doing this, down stream users of our source distros
>> can rest assured that the dependencies that they are using are the
>> correct ones.
>
> Not if there is a man in the middle attack.  If you didn't notice the
> recent noise w.r.t. DNS pollution, that's the very point of that vector.
> Had it been exploited, tens of thousands of download users could have
> been presented with inauthentic maven artifacts, complete with their
> freshly corresponding checksums.  Welcome to the internet.

Yes, but that kind of attack would only affect me if It's the first
time I'm creating a dependency to that artifact.  Further more, other
existing users of the artifact would detect the artifact replacement,
and act to get the problem corrected.  I consider the checksum
solution very similar to how SSH work in asking you to verify your
initial connection to a host.  It's not 100% secure, but in practical
use, it's in the high 90s.  :)

-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org