Return-Path: Delivered-To: apmail-incubator-general-archive@www.apache.org Received: (qmail 74288 invoked from network); 22 Sep 2008 13:35:41 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Sep 2008 13:35:41 -0000 Received: (qmail 81424 invoked by uid 500); 22 Sep 2008 13:35:37 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 81246 invoked by uid 500); 22 Sep 2008 13:35:36 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 81235 invoked by uid 99); 22 Sep 2008 13:35:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Sep 2008 06:35:36 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of chirino@gmail.com designates 209.85.134.191 as permitted sender) Received: from [209.85.134.191] (HELO mu-out-0910.google.com) (209.85.134.191) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Sep 2008 13:34:35 +0000 Received: by mu-out-0910.google.com with SMTP id w9so1530517mue.0 for ; Mon, 22 Sep 2008 06:34:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=hmFgqXgixd4/8uQTX0zEKPo4SENf6eHjnSsWTUHZKYM=; b=UndUzj7LkRIoWJLfNqcb3utyuXTAeC0T3GxwtbxzY0itj7VOU9NLcadA1nDJOtyd7r quOiCYm8Nz0Ov3shuXlprGa8p0scmp+yuhgA7HItRA2U3TFRqhJwF7MXvz8wYgpU1pwg F3FGym58Xhpd8wytlaYly6MnMVmGEIpOr1mzg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=Wf6md+vJNzXfGhYT0yvJqP2WsYVGZzgy+IN2C2WWAW3Wiwet9jdFLgk7FeuL9X10tX nJxP2UbXjbYSoR5+EfUQddsXeN1tXO7mZsZrfXEPutwLghSyzwf+HUuHDt76MXmHeFIO DEB9j5hA7FBbBHka0EoLft0IxCIuFfRUDQQjc= Received: by 10.187.223.6 with SMTP id a6mr415842far.45.1222090490151; Mon, 22 Sep 2008 06:34:50 -0700 (PDT) Received: by 10.187.167.12 with HTTP; Mon, 22 Sep 2008 06:34:50 -0700 (PDT) Message-ID: Date: Mon, 22 Sep 2008 09:34:50 -0400 From: "Hiram Chirino" Sender: chirino@gmail.com To: general@incubator.apache.org, henning@apache.org Subject: Re: status of PGP support in Maven In-Reply-To: <1221930522.25066.161.camel@forge.local> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9e3862d80809150702y7492812coa2f8f0f1deb42970@mail.gmail.com> <1221697970.25066.26.camel@forge.local> <14976D4F-CEEB-41D7-B1AE-1A703E14462B@SUN.com> <5c902b9e0809191011u72e8b83arfd6e49c5fc202214@mail.gmail.com> <1221930522.25066.161.camel@forge.local> X-Google-Sender-Auth: e938ec50f7c724ba X-Virus-Checked: Checked by ClamAV on apache.org The only reason I suggested including the sigs in the source distro is because a source build like Apache ServiceMix depends on hundreds of third party dependencies.. so an end user would need to end up trusting LOTs different signatures to get ServiceMix to build. It would be easier if the end user could just trust the Apache source distro and also transitively trust the signatures that we trust for our dependencies. The end user would still need to manually validate the source distro signature. Regards, Hiram On Sat, Sep 20, 2008 at 1:08 PM, Henning Schmiedehausen wrote: > On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote: >> On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz >> wrote: >> > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino wrote: >> >> How about we include the signatures in the source distros? That way >> >> if you trust your source, then you can trust the dependencies it >> >> downloads. >> > >> > Eww. That'd be a giant gaping security hole. >> >> not necessarily, depends how it's done >> >> signing works through trusting the people who own the keys. given >> sufficient signaturees (to prevent small conspiracies), where the >> signatures are downloaded from shouldn't matter. > > Hiram suggested to put the signatures into the source, which in turn is > also distributed from the repo. If you compromise the repo and change > the artifact, it is trivial to update the source artifact to contain a > matching signature. > > This is a security hole. And I don't really care for some of the > proposed "high nineties" security solutions. Either a solution is secure > or it is not. Everything else is just FUD. > > The problem with the central repo is that you need an easy accessible > web of trust if you want validation. The Apache web of trust is > distributed and an overlay to the GPG web of trust. But if you live in > Juneau, Alaska, it is hard for you to access it and get a trust > relationship to it. > > There is a (bit rusty) proposal on how to improve this at > http://people.apache.org/~henkp/trust/ > > Ciao > Henning > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > For additional commands, e-mail: general-help@incubator.apache.org > > -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org