Return-Path: 
 <general-return-20099-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 74159 invoked from network); 6 Oct 2008 14:25:31 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 6 Oct 2008 14:25:31 -0000
Received: (qmail 82428 invoked by uid 500); 6 Oct 2008 14:25:28 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 82262 invoked by uid 500); 6 Oct 2008 14:25:28 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 82249 invoked by uid 99); 6 Oct 2008 14:25:28 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2008 07:25:28 -0700
X-ASF-Spam-Status: No, hits=0.1 required=10.0
	tests=DNS_FROM_SECURITYSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of chirino@gmail.com designates
 209.85.128.190 as permitted sender)
Received: from [209.85.128.190] (HELO fk-out-0910.google.com) (209.85.128.190)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2008 14:24:24 +0000
Received: by fk-out-0910.google.com with SMTP id 19so2259464fkr.12
        for <general@incubator.apache.org>;
 Mon, 06 Oct 2008 07:24:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:sender
         :to:subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references
         :x-google-sender-auth;
        bh=0fg7GSmpgTSbF8JBNISHsEX/Eht0q8VE+SMZH0OSOKo=;
        b=KdqClQvoNGXGfOSPgAUoj7zghtx8HQKK7mVNnjN9DjA2MC2pBHakT58cjkuSQP8SnW
         ilpwZhyVnuDVIMx2o50CXUrxc8S4X4R62A5kJ2VZaqObV43uHhy4tTVGjUI3ZtsqkZAs
         IAL5j4RPh2qcHU8Uiwp3p7gAElzOasO2tf8R0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:sender:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references:x-google-sender-auth;
        b=kg9OHp2TMP1K+Z4v/oHxCBAVq7IEtr9pbNu/BUah+3jHEuxn8sJqogso4LnnX3M5lz
         uts74IoCYeUWbBdV+QFf6jYZNAUYpmtXU9MMj7H82NrGvaB+PGiJX/83NX+OR/j9BLIK
         v+ji5P4OHZwAWog7jkcx4N0NOL5dNjkYihxf8=
Received: by 10.187.210.10 with SMTP id m10mr979580faq.19.1223303089137;
        Mon, 06 Oct 2008 07:24:49 -0700 (PDT)
Received: by 10.187.167.12 with HTTP; Mon, 6 Oct 2008 07:24:49 -0700 (PDT)
Message-ID: <af2843cd0810060724w2cb98811j267ab7c9f0109c5d@mail.gmail.com>
Date: Mon, 6 Oct 2008 10:24:49 -0400
From: "Hiram Chirino" <hiram@hiramchirino.com>
Sender: chirino@gmail.com
To: general@incubator.apache.org, henning@apache.org
Subject: Re: status of PGP support in Maven
In-Reply-To: <af2843cd0810060708n7d36b65t3560aec6a9b7c2ed@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <NBBBJGEAGJAKLIDBKJOPGEJMHDAD.noel@devtech.com>
	 <1223078492.4003.1.camel@forge.local>
	 <af2843cd0810060708n7d36b65t3560aec6a9b7c2ed@mail.gmail.com>
X-Google-Sender-Auth: 7488637a35336226
X-Virus-Checked: Checked by ClamAV on apache.org

Note that problem A and B both occur at manual steps in the
build/development process.
Just wanted to point that out to folks who complain that maven is
insecure because it downloads stuff automatically.

With checksums, as long as the manual steps are secure, automated bits
should be secure too.

Regards,
Hiram

> There are maven plugins that can validate the checksums of 3rd party
> dependencies.  Works well as long as:
> A) You can trust that your apache-baz-1.0 source has not been tampered with.
> B) The dependency had not been tampered with at the time that the
> dependency was first added to the build.  (Since that's when the
> expected checksum is calculated)
>
> Problem A: is universal to all builds at apache even if it's a maven
> based or make based build.  I guess this is what the GPG discussion is
> about.
> Problem B: Could be further reduced if the 3rd party used some type
> signing to help the apache developers validate that the 3rd party
> artifact is indeed authentic.
>
> If dependency checksum validation was encouraged by all our source
> builds, I think Problem B would become even less of a problem because
> you would get a network effect between all the source builds.  As more
> more projects add a 3rd party dependency validated by a checksum, it
> becomes harder to exploit that 3rd party dependency as the artifact
> checksum gets checked by more and more builds.  Tampering with the
> artifact would result some builds builds breaking and folks
> investigating the tampering.  Therefore the most effective way to
> tamper with a 3rd party artifact would be to do it when the 3rd party
> artifact first gets deployed.  So in effect we reduce the
> vulnerability window that exploits are effective in, which I think
> helps.
>
> --
> Regards,
> Hiram
>
> Blog: http://hiramchirino.com
>
> Open Source SOA
> http://open.iona.com
>



-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org