Noel J. Bergman wrote:
> Gilles Scokart wrote:
> 
>> Noel J. Bergman:
>>> Implement that, and we're fine.  We will
>>> require Incubator artifacts to be signed by a designated key available
> to
>>> the PMC, and once a user has acknowledged that they accept such
> Incubator
>>> signed artifacts, maven can do what it wants with them.
>>        --- Noel
> 
>> Is that really possible?
> 
> Very.

Why is it not equally possible to validate against a short list of keys
(e.g. infra PMC members) and their immediate trust.  This is what gpg is
good at.

>> I remember some discussion on the infra list about an ASF wide signature.
>> And the conclusion was always the same: how to secure a key that can be
>> used by so many people.  If I remember well, some solution were proposed,
>> but they were quiet heavy.  Do we have a solution for that?
> 
> There are various things that can be done with respect to key management.
> Personally, I would not go with a single key.  But maven ought to maintain a
> trust file, with options to accept files that are signed with a trusted key,
> or signed by a key that is signed by a trusted key, etc.  The first thing
> that has to happen is for the Maven PMC to make security a priority.

As far as signing jars, microsoft authenticode etc, Noel and I planned to
create such a service (although we've both been really busy in the past few
months).  But it will always require that the artifacts are already signed
by someone in the ASF's web-of-trust via pgp.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org