incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <>
Subject Re: status of PGP support in Maven
Date Sat, 20 Sep 2008 17:08:42 GMT
On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote:
> On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz
> <> wrote:
> > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <> wrote:
> >> How about we include the signatures in the source distros?  That way
> >> if you trust your source, then you can trust the dependencies it
> >> downloads.
> >
> > Eww.  That'd be a giant gaping security hole.
> not necessarily, depends how it's done
> signing works through trusting the people who own the keys. given
> sufficient signaturees (to prevent small conspiracies), where the
> signatures are downloaded from shouldn't matter.

Hiram suggested to put the signatures into the source, which in turn is
also distributed from the repo. If you compromise the repo and change
the artifact, it is trivial to update the source artifact to contain a
matching signature.

This is a security hole. And I don't really care for some of the
proposed "high nineties" security solutions. Either a solution is secure
or it is not. Everything else is just FUD.

The problem with the central repo is that you need an easy accessible
web of trust if you want validation. The Apache web of trust is
distributed and an overlay to the GPG web of trust. But if you live in
Juneau, Alaska, it is hard for you to access it and get a trust
relationship to it. 

There is a (bit rusty) proposal on how to improve this at


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message