Return-Path: <issues-return-112228-archive-asf-public=cust-asf.ponee.io@maven.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 7670D2009D9
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 19 May 2016 22:40:14 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 74EC5160A00; Thu, 19 May 2016 20:40:14 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id BD8A01609AE
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 19 May 2016 22:40:13 +0200 (CEST)
Received: (qmail 17967 invoked by uid 500); 19 May 2016 20:40:13 -0000
Mailing-List: contact issues-help@maven.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@maven.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@maven.apache.org>
List-Post: <mailto:issues@maven.apache.org>
List-Id: <issues.maven.apache.org>
Reply-To: dev@maven.apache.org
Delivered-To: mailing list issues@maven.apache.org
Received: (qmail 17954 invoked by uid 99); 19 May 2016 20:40:12 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 May 2016 20:40:12 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id C9BD22C1F58
	for <issues@maven.apache.org>; Thu, 19 May 2016 20:40:12 +0000 (UTC)
Date: Thu, 19 May 2016 20:40:12 +0000 (UTC)
From: "Florian Schmaus (JIRA)" <jira@apache.org>
To: issues@maven.apache.org
Message-ID: <JIRA.12971227.1463680526000.240610.1463690412823@Atlassian.JIRA>
In-Reply-To: <JIRA.12971227.1463680526000@Atlassian.JIRA>
References: <JIRA.12971227.1463680526000@Atlassian.JIRA> <JIRA.12971227.1463680526820@arcas>
Subject: [jira] [Updated] (MNG-6026) Extend the Project Object Model (POM)
 with trust information (OpenPGP, checksums)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 19 May 2016 20:40:14 -0000


     [ https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Florian Schmaus updated MNG-6026:
---------------------------------
    Summary: Extend the Project Object Model (POM) with trust information (OpenPGP, checksums)  (was: Extend the Project Object Model (POM) with OpenPGP (RFC 4880) trust information)

> Extend the Project Object Model (POM) with trust information (OpenPGP, checksums)
> ---------------------------------------------------------------------------------
>
>                 Key: MNG-6026
>                 URL: https://issues.apache.org/jira/browse/MNG-6026
>             Project: Maven
>          Issue Type: New Feature
>          Components: core
>            Reporter: Florian Schmaus
>
> I'm not sure if this is the right place to raise an feature request for the POM format itself. I've already tried to get in touch with the right people about this feature request, but failed. I'm willing to help designing and implementing tihs, but need guidance.
> The origin of this feature request is http://stackoverflow.com/a/34795359/194894, and [especially a SO user requesting me to put this up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with OpenPGP (RFC 4880) trust information
> What we need is the possibility to model a trust relation from your project or artifact to the declared dependencies. So that, if all involved parties declare such a relation, we are able to create a "chain of trust" from the root (e.g. the project) over its dependencies down to the very last transitive dependency. The Project Object Model (POM) needs to be extended by a <verification/> element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>4.0</version>
> </dependency>
> {code}
> h3. Hard dependencies
> For hard dependencies, <verfication/> could include the sha256sum of artifact and its POM file:
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>4.0</version>
>   <verification>
>     <checksum hash='sha-256'>
>       <pom>[sha256 of junit pom file]</pom>
>       <artifact>[sha256sum of artifact (junit.jar)]</artifact>
>     </checksum>
>   </verification>
> </dependency>
> {code}
> h3. Soft dependencies
> If soft or ranged dependencies are used, then we could specify the public key (or multiple) of the keypair used to sign the artifacts
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>[4.0,4.5)</version>
>   <verification>
>     <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
>     <!-- possible further 'openpgp' elements in case the artifacts in the
>          specified version range where signed by multiple keys -->
>   </verification>
> </dependency>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)