incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 21:41:45 GMT
Hiram Chirino wrote:
> Agreed.  I never argued against this.  But I fail to see the point?
> Are you saying initial trust is hard to secure?  I totally agree on
> that point.  You have any solutions?

Yes.  You sign your package locally, never on the remote system.  The ASF
hardware must never have your gpg signing key.  And nobody trusts that
package without observing a valid gpg signature, especially not software
that is "blindly" installed (e.g. maven, other automated installers).

The security hole we perceive is that ASF packages are blindly created
using maven, relying on the fact that no machine that had touched that
dependent artifact or transmitting it had been compromised.

If the key is compromised, it's your job to revoke it.  But there's a long
discussion about revocation trust, let's not go there.

>> If it were cracked again, MD5 signatures would not be trusted, and all of
>> those resources would be wiped if there were no gpg keys available to
>> validate the packages.
> Are you saying even the source code/svn would be wiped?  If that's the
> case we would have a real tragedy on our hands.  I hope we kept good
> backups.

Yes; and we have backups.  We even have a mirror to retrace precisely what
commits happened after the breach, and determine if we want to reapply them
(presuming for a moment that the mirror could not be compromised).

> It's configurable.. We can default to whatever algorithm you think is
> the most secure for the foreseeable future.

Since the hash is not security, it's not terribly important, eh?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message