incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <>
Subject Re: status of PGP support in Maven
Date Thu, 18 Sep 2008 00:32:49 GMT
On Tue, 2008-09-16 at 01:02 +1100, Brett Porter wrote:

> Currently, it has checking turned on by default, but that isn't going to be
> a reasonable setting for some releases to come until the signatures in the
> repository are cleaned up. At the moment I've populated unsigned artifacts
> with a signature from a dummy key for testing purposes only.


> For the releases to be identified as from the incubator, they'll need to be
> signed solely by "the incubator". Did you want to elaborate on how you
> anticipated that set up working?

That sounds like a limitation of our signing model. Another scenario: I
have hacked a maven repository and put up a modified version of an
artifact. I can trivially find out, which Apache person signed that
release (by looking at the official site), then create a GPG key for
that person and sign that modified artifact.

Now someone tries to download the artifact. Checksums work out (because
I modified them, too), they pull the .asc file with the signature and it
shows "Artifact has been signed by <release manager> This
key is not certified with a trusted signature.There is no indication
that the signature belongs to the owner. Do you want to continue (Y/N)?"


- how many downloaders in a hurry will press "Y"?
- how many will actually take the fingerprint and go to the master site
of that artifact and verify it?
- how many will press "N"? Especially when my hacked artifact is just a
dependency of a dependency for a tool that they want to check out?

The only way around that I can see right away in a heavily mirrored
system, is to pull the signatures (and probably even the checksums) from
central all the time. Which represents a single point of failure and a
non-scaling element. 

Our web of trust has the following weaknesses:

- both incubating and non-incubating releases can be signed by the same
person with the same key
- there is no requirement that a release manager's key is actually well
connected (or even somehow connected) to the web of trust. Same goes for
the downloaders subset of keys that they trust.
- there is no easy way for a downloader to get a "basic set of
signatures to trust"

Of course you could simply throw the release signatures away, add
"signed by central" signatures for all artifacts in the repo and have
that public key distributed. That is probably the easiest and best
scaling thing.

	Best regards

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message