www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <brett.por...@gmail.com>
Subject Re: repo security
Date Thu, 13 Jan 2005 23:53:39 GMT
+1 to that.

Reviewing yum to learn any lessons for our repository work is also a
good idea I think.

- Brett


On Thu, 13 Jan 2005 15:47:35 -0500, Tim O'Brien <tobrien@discursive.com> wrote:
> It should be the user's discretion, but it also might be a good thing to default to the
most secure setting.  Similar to the new version of yum, it won't connect to yum repositories
unless you import keys from the repositories, or turn off key verification - secure by default.
> 
> Tim
> 
> -----Original Message-----
> From: Brett Porter [mailto:brett.porter@gmail.com]
> Sent: Thu 1/13/2005 2:01 PM
> To: repository@apache.org
> Subject: Re: repo security
> 
> > Would we be talking about "gpg --armor --output
> > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is
> > there some other mechanism we would need to go through?
> 
> This is what I'd intended to do in Wagon using Bouncycastle. And as
> Steve mentions, it can be at the users discretion: skip it, check it
> from the same location, check it, getting keys from a specified
> trusted location, only trust if the key is already in my keychain are
> probably the levels.
> 
> - Brett
> 
> 
>

Mime
View raw message