maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: Eclipse plugins and X.509 signatures
Date Wed, 31 Aug 2011 21:30:16 GMT
After thinking about Igor's observations here and on the bz referenced
below, I want to offer an alternative proposal.

At Apache, we want to encourage people to actually validate what they
download from us. Given the current state of the X.509 ecosystem and
Eclipse, no actual validation will take place if we self-sign, and
some might argue that we're in fact assisting spoofers.

My alternative proposal is to have no P2 site at all. Instead, simple
put a .zip archive of the P2 site onto our regular release site, with
the regular PGP signatures. The eclipse installation UI is perfectly
happy to consume an archive of a P2 site instead of a URL.

It's slightly less convenient for the end-user, but it's potentially a
lot more secure.

Thoughts?


On Wed, Aug 31, 2011 at 10:52 AM, Igor Fedorenko <igor@ifedorenko.com> wrote:
> Beware that Eclipse P2 does not like self-signed certificates all that much.
>
> [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345
>
> --
> Regards,
> Igor
>
> On 11-08-31 10:42 AM, Benson Margulies wrote:
>>
>> I've been helping Vincent&  Hervé push Vincent's Eclipse plugins for
>> Doxia file formats towards a release. I've got a tentative plan for
>> code-signing and I felt that it should be exposed on the dev list.
>>
>> Eclipse uses standard Java X.509 JAR signing. The Apache Directory
>> project also distributes Eclipse plugins, and handles this as follows:
>>
>> 1) They use a self-signed X.509 signature. In my view, the way to do
>> this consistent with Apache process is to have each person serving as
>> RM on this stuff generate their own and check the public key into the
>> tree.
>>
>> 2) They also attach the usual sort of PGP detached signature files to
>> all the files that they distribute. We can't do this with Maven in
>> this case, at least not very well.
>>
>> I'm going to proceed down this line unless someone objects. Note that
>> the ASF infrastructure site has some web pages that suggest the
>> existence of an X.509 CA, but I can't find any evidence so far that it
>> is alive.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message