incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 06:02:32 GMT
There is a pretty nice proposal on, however this will again take a
piece of "freedom of doing software at Apache" away and introduce some
administrative overhead that all projects must implement and manage.

Formalizing the signing of our releases would be a huge step towards a
reliable validation for the Apache software releases. It still does not
help you with third-party releases, though.

I don't know how many artifacts are on repo. I'd guess hundreds,
probably thousands. They have all been uploaded automatically or
semi-automatically. Because validating them by hand from the bazillion
of different sources is very difficult.

I spot a startup chance here for a company offering a trusted, validated
repository where all uploaded artifacts have been verified by the
uploaders. Any VCs around? I am bored and have time to write a business
plan ;-) 

IMHO: Anyone who is using maven for commercial software development and
does not run a controlled, in-house repository that is actively managed
and maintained is IMHO in for big, ugly surprises in the long run.


On Wed, 2008-09-24 at 13:36 +0800, Niclas Hedhman wrote:
> On Wed, Sep 24, 2008 at 1:20 PM, Henning Schmiedehausen
> <>wrote:
> I enjoy your scenarios...
> > And again, there is no "high nineties" security. Your solution is either
> > secure or it is not.
> For accuracy; This is not true either. AFAIK, no security solution is
> totally secure. You will be left with a number game.
> But I agree that this is a complex and non-trivial problem. Right now, we
> just say; "No Security, check manually." and to users who don't (like
> myself) we just ask them to blame themselves for being sloppy. Fair Enough.
> BUT, somehow I feel that a bit of "help" could be in order, and I think that
> if it is not portrayed as a "secure" and that the manual check should still
> be done by the security conscious, then why not try to provide that? How can
> a step in the right direction be bad?
> Cheers
> Niclas

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message