From general-return-18487-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Mon Jun 02 18:40:55 2008
Return-Path: <general-return-18487-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 56382 invoked from network); 2 Jun 2008 18:40:54 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 2 Jun 2008 18:40:54 -0000
Received: (qmail 13431 invoked by uid 500); 2 Jun 2008 18:40:54 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 13283 invoked by uid 500); 2 Jun 2008 18:40:54 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 13270 invoked by uid 99); 2 Jun 2008 18:40:54 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2008 11:40:54 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of robertburrelldonkin@gmail.com designates 209.85.146.176 as permitted sender)
Received: from [209.85.146.176] (HELO wa-out-1112.google.com) (209.85.146.176)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2008 18:40:04 +0000
Received: by wa-out-1112.google.com with SMTP id m16so645078waf.6
        for <general@incubator.apache.org>; Mon, 02 Jun 2008 11:40:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=VsFDu9+PahFglBJaHLG8s/2eGkdhN7ae1bz85kY03cs=;
        b=VSk08modd7jFY6jU1A2mlfmlm6orRby9OuWeQABR2IyYQ2K/Vgiwt+WNpDbqouQey72G/k/Utc/9zWzr5mR8cHVKjmBHiYBvMrMXQYvIA1pYe3KTxsyIztiQfMxe2V/Wl/f5gsNmCSeSNHczIAtLzuZW7qZ8YahFJCwReq1tpcY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=Cmo0xfDqGaNwMfVSkS6TGJU7HYwTRpVxPT4neKB/rMsruq7rMu0rCEMfIAz17Ydx6A9WLPG74pdTFpFMWaz5SK2qjVzlv550xaDwoFf7lCQIHjsJ85qZ1DhiJfxdmi7KPXxIiEV89OdXS5i/ZaNyT3Q2SFZkV7c1rCLyr7wEy2o=
Received: by 10.114.161.11 with SMTP id j11mr9303176wae.105.1212432021546;
        Mon, 02 Jun 2008 11:40:21 -0700 (PDT)
Received: by 10.115.23.18 with HTTP; Mon, 2 Jun 2008 11:40:21 -0700 (PDT)
Message-ID: <f470f68e0806021140k66b5016fx8f331ca2a0d5464@mail.gmail.com>
Date: Mon, 2 Jun 2008 19:40:21 +0100
From: "Robert Burrell Donkin" <robertburrelldonkin@gmail.com>
To: general@incubator.apache.org
Subject: Re: enforced signing of artifacts, [was maven repository]
In-Reply-To: <E29F60B7-7CA3-4279-8FEB-E4A0E8F5F06C@SUN.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <f470f68e0805300556n6d8c7d76g7fc0a23c06fb619e@mail.gmail.com>
	 <NBBBJGEAGJAKLIDBKJOPAEELEOAD.noel@devtech.com>
	 <2BABBE7D2A66E04DB8A66A527D29927E403DFB@intrepid.infinity.nu>
	 <9e3862d80805301942q897b0f4i9f9fe4b09494628f@mail.gmail.com>
	 <f470f68e0805302233t142d0f3fh19396b3cef95f9f7@mail.gmail.com>
	 <E29F60B7-7CA3-4279-8FEB-E4A0E8F5F06C@SUN.com>
X-Virus-Checked: Checked by ClamAV on apache.org

On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <Craig.Russell@sun.com> wrote:
>
> On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
>
>> On Sat, May 31, 2008 at 3:42 AM, Brett Porter <brett.porter@gmail.com>
>> wrote:
>>>
>>> 2008/5/31 Brian E. Fox <brianf@reply.infinity.nu>:
>>>>
>>>> Can you elaborate more on what you mean here? I've been on the Maven PMC
>>>> for over a year now and this is the first I've heard of it.
>>>>
>>>> We do support signing of artifacts and all the maven releases are
>>>> signed. We obviously don't control all the other Apache projects in a
>>>> way to enforce that they sign their artifacts.
>>>
>>> Noel is referring to enforcing checking signatures, not signing them.
>>> I've had a proposal out there for some time which anyone is free to
>>> comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security
>>>
>>> There hasn't been a lot of traction behind it so far. Ease of use,
>>> especially OOTB, is probably one of the main concerns.
>>
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
>
> I think that maven basically changes the equation, since it is responsible
> for automatically downloading artifacts, and this feature is a huge
> usability win. I think that currently, usability trumps security.
>
> Since maven automatically downloads artifacts, it's technically feasible for
> maven to verify the signatures of those artifacts and allow for control by
> the user over whether or not to trust the artifacts.
>
> For example, "trust all unsigned", "trust all signed", "trust all signed in
> Apache WOT" might be reasonable policies declared by the user.

+1

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org