incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: status of PGP support in Maven
Date Sat, 04 Oct 2008 09:25:01 GMT
On Fri, Oct 3, 2008 at 10:02 PM, sebb <sebbaz@gmail.com> wrote:
> On 03/10/2008, Bruce Snyder <bruce.snyder@gmail.com> wrote:
>> On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <noel@devtech.com> wrote:
>>
>> > Moved to the thread it belongs in ...
>>  >
>>  > Jason van Zyl wrote:
>>  >> Noel J. Bergman wrote:
>>  >> > Emmanuel Lecharny wrote:
>>  >>>> Better a bad decision than no decision, otherwise, soon, nobody
will
>>  >>>> vote anymore...
>>  >>> Not really.  Consider that there appears to be a clear consensus
>>  >>> that if Maven were to fix the download situation, requiring that users
>>  >>> approve the user of Incubator artifacts, rather than transparently
use
>>  >>> them,  many of the -1 would be +1.
>>  >
>>  >> That's unlikely to happen. We're not going to be implementing policy
>>  >> enforcement for you.
>>  >
>>  > We don't need for you to implement any "policy" other than the requirement
>>  > for users to approve authorized signing keys.  You simply need to implement
>>  > artifact signing and mandatory authorization, which is why I've moved this
>>  > to the thread Brett started for purposes of discussing signing.
>>
>>
>> I'm trying to understand why authorization should be mandatory? To my
>>  knowledge, only some of the Linux package management tools (apt, port,
>>  rpm, yum) verify signatures by default and in the event of failure,
>>  they allow you to continue without the key verification.
>>
>>  Also, I've actually spoken to a number of folks about GPG verification
>>  of artifacts over the last year and very few folks actually use this
>>  today.

GPG is very good for certain purposes. downstream packagers should
check signatures (and know how to do so safely) but for normal users,
checking SHA sums against the main site is probably better.

>>  > Did you not see what just happened to Redhat with respect to Fedora?  They
>>  > take artifact security seriously.  For a long time, it has appeared that
>>  > Maven does not, but I am hopeful now that mandatory authorization will
>>  > appear, so that I and others will not have to increase lobbying efforts to
>>  > have the Maven repository closed, at least with respect to ASF projects.
>>
>>
>> Please explain what happened to RedHat with respect to Fedora. I'm not
>>  familiar with the situation.
>
> http://rtfa.net/2008/08/25/fedora-package-signing-server-compromise-crls-and-trust/
>
> and
>
> http://rhn.redhat.com/errata/RHSA-2008-0855.html

silver bullets don't work :-)

single key, single point of failure, single compromise required

sounds like it was picked up by their auditing system, though

BTW the RAT auditing stuff seems to be working ok now for the
incubator releases. if anyone wants to extend auditing to other
projects, i'd be happy to help.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message