On Sat, May 31, 2008 at 8:11 PM, Craig L Russell wrote: > > On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote: > >> On Sat, May 31, 2008 at 3:42 AM, Brett Porter >> wrote: >>> >>> 2008/5/31 Brian E. Fox : >>>> >>>> Can you elaborate more on what you mean here? I've been on the Maven PMC >>>> for over a year now and this is the first I've heard of it. >>>> >>>> We do support signing of artifacts and all the maven releases are >>>> signed. We obviously don't control all the other Apache projects in a >>>> way to enforce that they sign their artifacts. >>> >>> Noel is referring to enforcing checking signatures, not signing them. >>> I've had a proposal out there for some time which anyone is free to >>> comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security >>> >>> There hasn't been a lot of traction behind it so far. Ease of use, >>> especially OOTB, is probably one of the main concerns. >> >> IMO this isn't really a maven issue: basic checks should be performed >> on all releases. i favour a private subversion repository with custom >> hooks for release publishing. > > I think that maven basically changes the equation, since it is responsible > for automatically downloading artifacts, and this feature is a huge > usability win. I think that currently, usability trumps security. > > Since maven automatically downloads artifacts, it's technically feasible for > maven to verify the signatures of those artifacts and allow for control by > the user over whether or not to trust the artifacts. > > For example, "trust all unsigned", "trust all signed", "trust all signed in > Apache WOT" might be reasonable policies declared by the user. +1 - robert --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org