www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark R. Diggory" <mdigg...@apache.org>
Subject Re: Ant and repositories
Date Tue, 02 Nov 2004 13:21:07 GMT
Hi Steve,

Steve Loughran wrote:
> Hello,
> 
> I'm Steve Loughran of the Ant project; Nicolaken said I should get on
> this mail list
> 
> 1. I have just added to Ant CVS_HEAD a task to get libraries from a
> repository; built in support is for maven layouts, though others are
> possible.

This is a great idea.

> 2. I worry about the security aspects. I dont think it is enough to
> verify the MD5 signatures, because they are served up on the same
> (http) server.
> What should I be doing for verifying remote downloads are the intended
> ones, or what changes are planned in the near future that our task
> should ready itself for?
> Note that the task is focused on JAR/WAR/Ear archives only, so we can
> do full jar signature checking if that is felt the best solution. And
> we can ship with the public key of an Apache/Maven/Gump CA to verify
> signatures. Indeed, the fact that nothing has shipped at all yet (and
> wont till 1.7 alpha) means that we have time to get things right here
> 
> -Steve

This subject is going to be dependent on the overall capabilities of 
Maven itself. I think, as Maven moves forward your going to see more 
requirements for signatures. I think that in your case, all the Ant task 
would probably maintain is some "warning" or interactive y/n/a/na 
concerning the signature being missing or bad. This is because no matter 
what policies we put in place for the ASF Repository, they are but a 
subset of possible outcomes in Maven.

Ultimately, users of the task should be using 
http://www.ibiblio.org/maven an Apache mirror or another local Maven 
repository as the target for downloading dependencies and not ever the 
/dist/java-repository on minotaur directly.

In theory. All pgp signatures on files in the repository should have 
public keys stored somewhere under "KEYS" like other contents of /dist/ 
but I don't currently think this a well maintained or organized practice 
in the ASF Repository. It should be better maintained and we've had 
discussions about improving it.

-Mark

-- 
Mark Diggory
Open Source Software Developer
Apache Jakarta Project
http://jakarta.apache.org

Mime
View raw message