incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 14:11:44 GMT

On Sep 24, 2008, at 3:44 PM, Hiram Chirino wrote:

> On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen
> <> wrote:
>> On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
>>> On Mon, Sep 22, 2008 at 10:12 AM, sebb <> wrote:
>>>> On 22/09/2008, Hiram Chirino <> wrote:
>>>>> The only reason I suggested including the sigs in the source  
>>>>> distro is
>>>>> because a source build like Apache ServiceMix depends on  
>>>>> hundreds of
>>>>> third party dependencies.. so an end user would need to end up
>>>>> trusting LOTs different signatures to get ServiceMix to build.
>>>>> It would be easier if the end user could just trust the Apache  
>>>>> source
>>>>> distro and also transitively trust the signatures that we trust  
>>>>> for
>>>>> our dependencies.
>>> I actually meant to say include the pub key for the dependency in  
>>> the
>>> source distro.
>> How do you validate that the pub key presented to you is genuine?  
>> What
>> you currently proposing is
>> src-artifact <- signed with A's privkey, validated with A's pubkey
>> A's pubkey is inside src-artifact.
> NO I'm not.  I'm saying that A artifact has 100 dependencies by say 30
> different signers.. we include
> those 30 pub keys in the src-artifact.  NOT the A key!
> You have to validate the A source distro the same way you would
> validate an ANT based build source distro today.

Ok we can do something where the X +1's issued are sent to a keyserver  
along with the OK of a PMC member or human gate (as one does not want  
to also automate veto counting) or similar - together with the md5/ 
sha1. And returned is the later hash signed by some rolling apache key  
or x509.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message