incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <>
Subject Re: status of PGP support in Maven
Date Sun, 21 Sep 2008 18:33:50 GMT

On Sat, 2008-09-20 at 19:52 +0200, Jukka Zitting wrote:
> HI,
> On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen
> <> wrote:
> > Hiram suggested to put the signatures into the source, which in turn is
> > also distributed from the repo.
> It's not. The sources you build come either from svn or from a signed
> release package.

What is a signed release package? If I can compromise the repository and
change signatures on an artifact, I can also change the signatures and
contents on a "signed release package". That does not work.

In <>:

Hiram> How about we include the signatures in the source distros?  That
Hiram> way if you trust your source, then you can trust the dependencies
Hiram> it downloads.

Sounds pretty clear to me. Your suggestion again requires that the
verifier goes back to a central, trusted repository (Single point of
failure) and even more, it requires some sort of convention on where and
how to store these signatures. Does not scale.

Folks, if distributed trust was easy, Trust Centers wouldn't make a
fortune selling signed keys from a central trust source ("Root


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message