incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: status of PGP support in Maven
Date Tue, 07 Oct 2008 07:06:13 GMT
Niclas Hedhman wrote:
> On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <hiram@hiramchirino.com> wrote:
> 
>> There are maven plugins that can validate the checksums of 3rd party
>> dependencies.
> 
> Uhhh... Call me stupid, but how can checksum solve anything other than
> assuring that the download worked?? AFAIK, Maven does not pick up the
> checksums from the "authorative" server and validates it against the
> mirrored one. Perhaps that has changed since "back then"... And even
> then, how hard can it be to get the same 1024/2048/65536/... bit
> checksum by modifying that many 'extra' or 'unused' bits?

You're not stupid[1][2].

Practically speaking, SHA384++ are still "strong enough" but as you point
out, unless the checksum values are taken from a trusted[3][4] reference
server separate from the distribution server, immune from mitm channels.

All of this is simply idle chatter until a repository server is compromised
at which point half will be scolding the other half "I told you so".  But
none of this has anything to do with "Incubator" best practices, unless
you want to prohibit incubator projects from assembling releases from Maven.

[1] http://en.wikipedia.org/wiki/Md5#Vulnerability
[2] http://en.wikipedia.org/wiki/Sha1#Cryptanalysis_and_validation
[3] http://www.apache.org/info/20010519-hack.html
[4] http://news.cnet.com/8301-1009_3-10023565-83.html


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message