incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 20:21:19 GMT
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
<> wrote:
> Hiram Chirino wrote:
>> So the responsibility is still on us, the upstream distributor, to
>> verify the the checksums we list in our source distro are correct.
>> But at least by doing this, down stream users of our source distros
>> can rest assured that the dependencies that they are using are the
>> correct ones.
> Not if there is a man in the middle attack.  If you didn't notice the
> recent noise w.r.t. DNS pollution, that's the very point of that vector.
> Had it been exploited, tens of thousands of download users could have
> been presented with inauthentic maven artifacts, complete with their
> freshly corresponding checksums.  Welcome to the internet.

Yes, but that kind of attack would only affect me if It's the first
time I'm creating a dependency to that artifact.  Further more, other
existing users of the artifact would detect the artifact replacement,
and act to get the problem corrected.  I consider the checksum
solution very similar to how SSH work in asking you to verify your
initial connection to a host.  It's not 100% secure, but in practical
use, it's in the high 90s.  :)



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message