maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian C. Dunn" <Julian_D...@cbc.ca>
Subject RE: failover for maven repository?
Date Wed, 09 Jun 2004 04:11:32 GMT
On Tue, 8 Jun 2004, Jason van Zyl wrote:

> > On Tue, 2004-06-08 at 22:59, Julian C. Dunn wrote:
> > 
> > > I must admit that I share their concern; I'm curious to know whether the
> > > security implications of this have been discussed at all.
> > 
> > Many times, we have use cases, and the upload process will become more
> > rigourous over time. We've also had a couple more complete proposals
> > submitted: one by Nat Pryce and one by John Casey
> 
> For reference:
> 
> http://docs.codehaus.org/display/MAVEN/Repository+-+Security
> 
> http://docs.codehaus.org/display/MAVEN/Repository+-+Security+by+nat+pryce

Those articles pretty much reflect my (and my sysadmins') concerns, thank 
you.

> Some may consider it negligence but I considered convenience to be the
> overriding concern. I realize security is an issue, but I feel it's
> become a bit a boogey man. Anything is possible and maybe there is some
> really, really bored guy with nothing better to do then muck up the
> works for everyone but I'm really hoping that doesn't happen. But in m2
> we will have options for the paranoid and the upload process will be
> easier and more secure.

Well, we all "hope" that nobody mucks up the repository, but that only
gets you so far -- all you have to do is to ask the Debian or FSF
maintainers whose sites got cracked how far "hope" gets you. I would
rather that the Maven community take proactive steps to rectify this,
rather than getting egg on our collective faces when the repo does get
mangled, either by accident or on purpose.

I'll give you an example of a case where even "accidental" repo mangling
has caused us grief: commons-configuration. The JAR that is up there on
ibiblio labelled 1.0-dev doesn't contain the same code as the current one
(also labelled 1.0-dev) which you can download off the Jakarta site. I had
a developer run across this just today: when he ran his code against what
he thought was the "correct" 1.0-dev JAR but was in fact the old one from
ibiblio, the code blew up, predictably.

In my mind, the correct approach as suggested by Casey, Pryce et al. is to
store the MD5 or SHA1 checksums offline, i.e. not in the same place the
JARs themselves, and then to to transfer those securely. This is basically
the approach used by the FreeBSD ports system or NetBSD pkgsrc. The actual
transfer of the JARs need not be secure as long as the checksums are
trustworthy.

- Julian

-- 
Julian C. Dunn  <Julian_Dunn@cbc.ca> <jdunn@nm.cbc.ca>
Software Developer, CBC.ca Production & Operations
Office: 2C310-I * Tel.: (416)-205-5592
PGP Key: 0xDA6A5B30 [7DCD A0C3 8B6F 6A76 F4CD 9F9B F941 A1B2 DA6A 5B30]

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org


Mime
View raw message