incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 18:00:14 GMT
On Thu, Sep 18, 2008 at 10:59 AM, sebb <> wrote:
> On 18/09/2008, Hiram Chirino <> wrote:
>> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
>> <> wrote:
>> > Similarly, the issue of signature validation is a significant flaw which
>>  > I also hope maven addresses even more promptly, and which they are aware
>>  > of.  The alternatives are to take down maven until it is secure, or to
>>  > continue to populate maven with various released artifacts.  And this too
>>  > isn't germane to the question above, which is;
>> The signature validation issue has a simple fix which I have already
>>  mentioned earlier.  I'm not sure why folks continue to think it's
>>  still a problem.  All the projects need to do is enable a checksum
>>  validation plugin, and at least that problem is resolved.
> Not sure I agree that the checksum plugin solves the problem.
> As far as I can tell, all that the plugin does is to detect any
> changes to dependencies that occur *after the checksum list is
> initially generated*


> Unless I'm mistaken, it does not guard against the orignal dependency
> already being corrupt, nor does it protect the product itself.

So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source distros
can rest assured that the dependencies that they are using are the
correct ones.

If a committer by mistake adds an invalid checksum for an artifact
that he been hacked in his repo, hopefully, another developer doing
the build will notice that the build fails due to checksum error if he
has the valid artifact.  At that point they can investigate who has
the valid copy of the artifact.  The more users that are building the
software with the checksum validation, the better of chance you got at
some one noticing a hacked repo artifact.

If by chance all repos being used only have the hacked version of the
artifact and, no one notices it hacked and we release with that.. then
that would be a serious issue yes.  I think we should handle that like
we would handle any serious security flaw in our products.  Re-release
with the flaw (checksum) corrected and advise all our users to

On a side note.. a GPG web of trust would help in trusting the
original binary checksum.  Note that down stream users of our source
distro may not trust people we trust, so they may want those checksums

> What's to stop the checksum list being corrupted?
>>  --
>>  Regards,
>>  Hiram
>>  Blog:
>>  Open Source SOA
>>  ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>>  For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message