incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: status of PGP support in Maven
Date Thu, 18 Sep 2008 16:03:12 GMT
Gilles Scokart wrote:
> 2008/9/15 William A. Rowe, Jr. <>:
>> Brett Porter wrote:
>>> For the releases to be identified as from the incubator, they'll need to
>>> be
>>> signed solely by "the incubator". Did you want to elaborate on how you
>>> anticipated that set up working?
>> With PGP it's a web of trust.  Any ASF-role key would never be used to sign
>> any artifact.  Ideally, ASF-key would sign incubator key, incubator key
>> would sign Jane's key, Jane would RM and sign with her own key, and the web
>> of trust satisfies the trust requirement.
> That would requires a complete isolated web of trust for the incubator
> release.  If the incubating web of trust is trusted by someone that I
> trust, then I would trust the incubating artefact without realising
> that this artefact comes from the incubator.
> I thought the objectif was to force the user to agree that he
> understandd he is using an incubating artefact.

That's not the point of a signature.  Signature verification is a mechanism
to validate the origin of the package.  Not it's integrity vs. a checksum,
but that the package (and checksum) had not been altered in the repository
at the origin server, during transit (e.g. a man-in-the-middle attack) nor

If you (as an author) are satisfied that any 1.x.x release will satisfy
your dependency on package foo, even if you generate checksums on all
of 1.0.0 through current rev 1.1.12, that doesn't help you when foo then
ships package 1.2.0, effectively rendering maven worthless.

Signatures exist for a reason, they don't require pre-knowledge of some
package that does not yet exist, and serve to authenticate the packages
origin.  That's why .rpm and other distribution models all rely on them.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message