Return-Path: 
 <general-return-19838-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 89479 invoked from network); 24 Sep 2008 13:45:10 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 24 Sep 2008 13:45:10 -0000
Received: (qmail 44499 invoked by uid 500); 24 Sep 2008 13:45:04 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 44330 invoked by uid 500); 24 Sep 2008 13:45:04 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 44302 invoked by uid 99); 24 Sep 2008 13:45:04 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Sep 2008 06:45:04 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of chirino@gmail.com designates
 209.85.134.187 as permitted sender)
Received: from [209.85.134.187] (HELO mu-out-0910.google.com) (209.85.134.187)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Sep 2008 13:44:03 +0000
Received: by mu-out-0910.google.com with SMTP id w9so2445784mue.0
        for <general@incubator.apache.org>;
 Wed, 24 Sep 2008 06:44:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:sender
         :to:subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references
         :x-google-sender-auth;
        bh=UeTLzJPoSZYD3KCdt5mFT2dGdZrsry5yc35dhROJB9s=;
        b=hXDOhFs7OXRsYbNuUHvd7So8hq/U1ZCkWsEGMiGAwvKrUYYMAKfBJudKODfSO+1+UN
         hJNK9EFkKR3PM8/ABBWXIyu77e5ivh2yZ31X7/t4BCdx1QT1uwjoKKx/pbqKLhDzr6De
         om7I4ylKb8RcfAWGK+SGephcaEdnbimnattnw=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:sender:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references:x-google-sender-auth;
        b=ENim8l8cJhigOUK58e/xZHoCS+W6IkTplShkUT9C1BnEQ/ewwIpzDIUQ4R/Xfc4KC4
         eUlneQzVHidTKg5aHaM2ec8hicKppMsjOOY6fEQjuW1446r9MkKb3Kgvd/Fzsff0COAU
         YmJgz0yQnAgtiCLnO1mCiT5RlWoGz53vpq/1Y=
Received: by 10.187.186.16 with SMTP id n16mr1332643fap.27.1222263876315;
        Wed, 24 Sep 2008 06:44:36 -0700 (PDT)
Received: by 10.187.167.12 with HTTP; Wed, 24 Sep 2008 06:44:36 -0700 (PDT)
Message-ID: <af2843cd0809240644u49ad6c8cyd4eb0edffee9cef5@mail.gmail.com>
Date: Wed, 24 Sep 2008 09:44:36 -0400
From: "Hiram Chirino" <hiram@hiramchirino.com>
Sender: chirino@gmail.com
To: general@incubator.apache.org, henning@apache.org
Subject: Re: status of PGP support in Maven
In-Reply-To: <1222234030.24030.106.camel@forge.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <9e3862d80809150702y7492812coa2f8f0f1deb42970@mail.gmail.com>
	 <14976D4F-CEEB-41D7-B1AE-1A703E14462B@SUN.com>
	 <af2843cd0809190612l26a03571iad65544edd954372@mail.gmail.com>
	 <5c902b9e0809191011u72e8b83arfd6e49c5fc202214@mail.gmail.com>
	 <f470f68e0809200208r75cc59bdw74c6edf09d54f28c@mail.gmail.com>
	 <1221930522.25066.161.camel@forge.local>
	 <af2843cd0809220634w21f510e0le873d83985a473db@mail.gmail.com>
	 <25aac9fc0809220712o45d61244i20b54c80347041ab@mail.gmail.com>
	 <af2843cd0809221042gd4616e9t1db67daec28288d9@mail.gmail.com>
	 <1222234030.24030.106.camel@forge.local>
X-Google-Sender-Auth: 3579f9b10b1ab83a
X-Virus-Checked: Checked by ClamAV on apache.org

On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen
<henning@apache.org> wrote:
> On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
>> On Mon, Sep 22, 2008 at 10:12 AM, sebb <sebbaz@gmail.com> wrote:
>> > On 22/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
>> >> The only reason I suggested including the sigs in the source distro is
>> >>  because a source build like Apache ServiceMix depends on hundreds of
>> >>  third party dependencies.. so an end user would need to end up
>> >>  trusting LOTs different signatures to get ServiceMix to build.
>> >>
>> >>  It would be easier if the end user could just trust the Apache source
>> >>  distro and also transitively trust the signatures that we trust for
>> >>  our dependencies.
>> >>
>> >
>>
>> I actually meant to say include the pub key for the dependency in the
>> source distro.
>
> How do you validate that the pub key presented to you is genuine? What
> you currently proposing is
>
> src-artifact <- signed with A's privkey, validated with A's pubkey
>
> A's pubkey is inside src-artifact.

NO I'm not.  I'm saying that A artifact has 100 dependencies by say 30
different signers.. we include
those 30 pub keys in the src-artifact.  NOT the A key!

You have to validate the A source distro the same way you would
validate an ANT based build source distro today.


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org