incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: status of PGP support in Maven
Date Fri, 03 Oct 2008 21:02:32 GMT
On 03/10/2008, Bruce Snyder <bruce.snyder@gmail.com> wrote:
> On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <noel@devtech.com> wrote:
>
> > Moved to the thread it belongs in ...
>  >
>  > Jason van Zyl wrote:
>  >> Noel J. Bergman wrote:
>  >> > Emmanuel Lecharny wrote:
>  >>>> Better a bad decision than no decision, otherwise, soon, nobody will
>  >>>> vote anymore...
>  >>> Not really.  Consider that there appears to be a clear consensus
>  >>> that if Maven were to fix the download situation, requiring that users
>  >>> approve the user of Incubator artifacts, rather than transparently use
>  >>> them,  many of the -1 would be +1.
>  >
>  >> That's unlikely to happen. We're not going to be implementing policy
>  >> enforcement for you.
>  >
>  > We don't need for you to implement any "policy" other than the requirement
>  > for users to approve authorized signing keys.  You simply need to implement
>  > artifact signing and mandatory authorization, which is why I've moved this
>  > to the thread Brett started for purposes of discussing signing.
>
>
> I'm trying to understand why authorization should be mandatory? To my
>  knowledge, only some of the Linux package management tools (apt, port,
>  rpm, yum) verify signatures by default and in the event of failure,
>  they allow you to continue without the key verification.
>
>  Also, I've actually spoken to a number of folks about GPG verification
>  of artifacts over the last year and very few folks actually use this
>  today.
>
>
>  > Did you not see what just happened to Redhat with respect to Fedora?  They
>  > take artifact security seriously.  For a long time, it has appeared that
>  > Maven does not, but I am hopeful now that mandatory authorization will
>  > appear, so that I and others will not have to increase lobbying efforts to
>  > have the Maven repository closed, at least with respect to ASF projects.
>
>
> Please explain what happened to RedHat with respect to Fedora. I'm not
>  familiar with the situation.

http://rtfa.net/2008/08/25/fedora-package-signing-server-compromise-crls-and-trust/

and

http://rhn.redhat.com/errata/RHSA-2008-0855.html

>  Bruce
>  --
>  perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
>  );'
>
>  Apache ActiveMQ - http://activemq.org/
>  Apache Camel - http://activemq.org/camel/
>  Apache ServiceMix - http://servicemix.org/
>
>  Blog: http://bruceblog.org/
>
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>  For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message