incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: status of PGP support in Maven
Date Thu, 18 Sep 2008 00:59:01 GMT
Something else that needs to be considered is what happens if
someone's private key in the web of trust gets compromised?
Once compromised. malicious releases could get re-rolled, and deployed.

I think GPG would be good to validate an initial dependency/checksum
for an artifact, but after that future builds should validate against
the artifact checksum.


On Mon, Sep 15, 2008 at 2:00 PM, Robert Burrell Donkin
<> wrote:
> On Mon, Sep 15, 2008 at 3:40 PM, William A. Rowe, Jr.
> <> wrote:
>> Brett Porter wrote:
>>> For the releases to be identified as from the incubator, they'll need to
>>> be
>>> signed solely by "the incubator". Did you want to elaborate on how you
>>> anticipated that set up working?
>> With PGP it's a web of trust.  Any ASF-role key would never be used to sign
>> any artifact.  Ideally, ASF-key would sign incubator key, incubator key
>> would sign Jane's key, Jane would RM and sign with her own key, and the web
>> of trust satisfies the trust requirement.
> i think that this approach would require a shadow web for incubator keys
> suppose:
> alice is an apache committer
> alice has key K which is commented "APACHE CODE SIGNING KEY"
> alice is elected release manager for incubator podling P
> alice would need to create a new key S which is commented "INCUBATOR
> alice adds S to an incubator KEYS document
> then alice should ensure that S (not K) is the only key used to sign
> the release for P
> - robert
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message