incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 21:25:22 GMT
Trust me I'm not trying to be difficult..

On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr.
<> wrote:
> Hiram, I wish you would desist already from debating positions that you
> can't defend...
> Hiram Chirino wrote:
>> On Thu, Sep 18, 2008 at 3:07 PM, sebb <> wrote:
>>> On 18/09/2008, Hiram Chirino <> wrote:
>>>> So the responsibility is still on us, the upstream distributor, to
>>>>  verify the the checksums we list in our source distro are correct.
>>> And how do we do that?
>>> We cannot use the Maven repo as it has already been compromised.
>> If you are a totally paranoid, you would build all the dependencies
>> your self and use those checksums.  :)  Since that's not practical,
>> you have to trust that an artifact on a maven repo has not been
>> hacked.. or even validate it has not been hacked (perhaps the project
>> provides a separate website with the checksums of the artifacts).
> has been breached at least once in it's history.  Over the
> course of the next 100 years, it will likely happen once again.  You have
> two ASF machines and two maven machines in the matrix, the DNS and www
> servers of both ASF and the maven host.  That's four vectors already.
> I'm not even going into other upstream hosts.

Agreed.  I never argued against this.  But I fail to see the point?
Are you saying initial trust is hard to secure?  I totally agree on
that point.  You have any solutions?

> If it were cracked again, MD5 signatures would not be trusted, and all of
> those resources would be wiped if there were no gpg keys available to
> validate the packages.

Are you saying even the source code/svn would be wiped?  If that's the
case we would have a real tragedy on our hands.  I hope we kept good

> At least, you design for this scenario and pray that doesn't happen.
> Hiram Chirino wrote:
>> Yes, but that kind of attack would only affect me if It's the first
>> time I'm creating a dependency to that artifact.  Further more, other
>> existing users of the artifact would detect the artifact replacement,
>> and act to get the problem corrected.  I consider the checksum
>> solution very similar to how SSH work in asking you to verify your
>> initial connection to a host.  It's not 100% secure, but in practical
>> use, it's in the high 90s.  :)
> Using SHA-384 and higher?  Or MD5?  MD5 can be cracked resulting in a
> same sized object.

It's configurable.. We can default to whatever algorithm you think is
the most secure for the foreseeable future.

> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message