www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <steve.lough...@gmail.com>
Subject Re: Maven repository security
Date Wed, 09 Aug 2006 16:57:01 GMT
On 01/08/06, Brett Porter <brett.porter@gmail.com> wrote:
> Hi,
>
> I'd be interested to get feedback on this early draft of possible ways
> to improve the verification of downloaded artifacts from Maven
> repositories to complete the implementation in the next couple of
> months.
>
> http://docs.codehaus.org/display/MAVEN/Repository+Security+Improvements
>
> Some of it still needs to be thought through some more... I've posted
> it to dev@maven.apache.org too so feel free to reply there or here
> (and I'll integrate any feedback into the document either way).
>

Reading it one more time, the trick of using SHA1 or MD5 checksums in
a dependency element is exactly what we do in smartfrog descriptors:


InstallHibernate extends Compound {

    destDir TBD;

    repo extends Maven2Library {
    }

    ehcache.jar extends JarArtifact {
        library LAZY PARENT:repo;
        project "ehcache";
        version "1.1";
        sha1 "c781c87c2eb4e062a473822486cca46cd785b24a";
    }

    copy.ehcache.jar extends CopyFile {
      source LAZY ehcache.jar;
      destination LAZY destDir ;
      copyOnDeploy false;
      overwrite false;
    }


    commons-collections.jar extends JarArtifact {
        library LAZY PARENT:repo;
        project "commons-collections";
        version "2.1.1";
        sha1 "017c599cfcc98d31ce2d2688b4f8826bbeb9aa98";
    }


    copy.commons-collections.jar extends copy.ehcache.jar {
        source LAZY commons-collections.jar;
    }

Provided you have the descriptor signed, you are immune to tampered
artifacts, at least until MD5 and SHA1 falls, at which point you have
more serious problems such as the fact that things like RPM are
compromised.

-steve

Mime
View raw message