Return-Path: Delivered-To: apmail-repository-archive@www.apache.org Received: (qmail 22753 invoked from network); 15 Mar 2005 21:20:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 15 Mar 2005 21:20:43 -0000 Received: (qmail 53179 invoked by uid 500); 15 Mar 2005 21:20:37 -0000 Delivered-To: apmail-repository-archive@apache.org Received: (qmail 53058 invoked by uid 500); 15 Mar 2005 21:20:36 -0000 Mailing-List: contact repository-help@apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: repository@apache.org Delivered-To: mailing list repository@apache.org Received: (qmail 52996 invoked by uid 99); 15 Mar 2005 21:20:36 -0000 X-ASF-Spam-Status: No, hits=0.4 required=10.0 tests=DNS_FROM_RFC_ABUSE,RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of steve.loughran@gmail.com designates 64.233.184.194 as permitted sender) Received: from wproxy.gmail.com (HELO wproxy.gmail.com) (64.233.184.194) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 15 Mar 2005 13:20:34 -0800 Received: by wproxy.gmail.com with SMTP id 37so3984wra for ; Tue, 15 Mar 2005 13:20:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=VtejAhwnoCGeWDAd9feeP6ZJInlMmIfJ64m/CifA02es1HR4A+WyJMg4PsRW2jmFGd0h12rEfHE5pQzXrKutCQkO8yZQcNuplMLc8ODSC/boNF4LcX71dGm4WyRj3qf/gQnJjh9eTerSI9MY059QxVDzquIr/A6Y70GbZfRn4Js= Received: by 10.38.15.80 with SMTP id 80mr1084909rno; Tue, 15 Mar 2005 13:20:28 -0800 (PST) Received: by 10.39.3.46 with HTTP; Tue, 15 Mar 2005 13:20:28 -0800 (PST) Message-ID: Date: Tue, 15 Mar 2005 21:20:28 +0000 From: Steve Loughran Reply-To: Steve Loughran To: repository@apache.org Subject: Re: security, hashing. In-Reply-To: <4236F68A.3000905@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <853ac4f40503150632263b70ad@mail.gmail.com> <4236F68A.3000905@gmail.com> X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Tue, 15 Mar 2005 09:51:54 -0500, Mark Diggory wrote: > Russell Gold wrote: > > >On Thu, 10 Mar 2005 20:11:20 +0000, Steve Loughran > > wrote: > > > > > >>The disadvantages > >> -no obvious 'latest version' in the repository > >> -harder to field support calls, "what is the hash of your artifacts"? > >> > >> > > > >Not to mention, really complicating the job of upgrading to new versions. > > > >Is there a danger here of solving the 1% case at the expense of the 99% case? > > > > > > > axis-0.0.1-04f3d5aab0.jar > > then you have the version and the hash... Think of the hash as similar "alpha", "beta" or "rcN" identifiers (isn't it really? Your just identifying this particular "packaging" of axis-0.0.1.). > > But then again, this starts to get into the arena of Jar Signing, and there already is facility for that in Jar Artifacts... The trouble with signed jars is the side effect. sign a jar and it becomes implicitly sealed: you cannot load new classes into populated packages. For example, if Ant signed its jars, org.apache.tools.ant, org.apache.tools.ant.taskdefs.optional and the like would only be allowed to contain JARs which came from Ant. If any one is signed: all the rest are locked out. This is , IMO, complete antithesis to open source dev -there is no point giving you the source if you can't use it. What I am thinking of for a short term solution that works with the existing repository is allow people to put the SHA1 digest in the build file when loading a library This puts the checksum declaration into the build file, giving whoever writes the file control. This will work with the existing system; I just build the SHA1 checksum and compare it with what the user asked for. The project/artifact/version info is all that is used for retrieval though.