www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <steve.lough...@gmail.com>
Subject Re: long project names & repositories
Date Mon, 11 Apr 2005 13:15:22 GMT
On Apr 11, 2005 2:02 PM, Brett Porter <brett.porter@gmail.com> wrote:
> > the smartfrog solution is brute force unforgiving: you must declare
> > the SHA1 or MD5 value in a download
> Right... I'm sure users wanting security will put up with a certain
> level of pain. I'm still not sure how you securely publish the value
> initially (though this certainly prevents later tampering).
> I'd still like to think this through a little more.

There is no good solution here. Really. For example, say maven and
apache include the public keys of the apache CA: how do you verify
that the versions that ship with your IDE, or with the tomcat version
that came with your app server havent been subverted. Similarly: how
do you verify that the SHA1/MD5 key that you are putting in your
template is the correct one, and not one that is from somewhere
malicious. You need to trust someone, somewhere, and that is the weak
point for attack. Or team's security person doesnt believe in anything
other than clean build code, tagged CVS releases, with personal
signing. The only reason I can get away with coding the maven lib
support is that he is away right now...

The best source of keys (both SHA1 and MD5) will be the PGP signed
announcements of releases. That puts PGP at the base of the trust
chain. but we cant automated PGP checks without bouncycastle on the

View raw message