incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <>
Subject Re: status of PGP support in Maven
Date Fri, 03 Oct 2008 17:11:46 GMT

On 3-Oct-08, at 12:31 PM, Noel J. Bergman wrote:

> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>>> We don't need for you to implement any "policy" other than the
>>> requirement for users to approve authorized signing keys.  You
>>> simply need to  implement artifact signing and mandatory
>>> authorization, which is why I've moved this to the thread Brett
>>> started for purposes of discussing signing.
>> You are not the Incubator PMC
> And where did I imply otherwise??
>> and what the Incubator says they require is far from clear.  
>> Disclaimers,
>> notices, PGP keys. No one  knows what anyone wants here. No one
>> can follow these discussions.
> That's rather over the top.

We're talking years here Noel. Point at anything that succinctly  
states the policy. Doesn't exist. I think if you asked anyone right  
now they would have no idea what the result is. We had a majority  
vote, someone on the board said that's the way we should go, some  
agree, some don't, then you step in and say that's not the way it is  
because Greg said that's the way it is. It's not meant to be over the  
top, just a statement of fact.

> The disclaimer and notice requirements are well
> documented and have been for a long time.  The PGP key situation is  
> under
> discussion, likely to be resolved by the Infrastructure Team, and  
> will be an
> ASF-wide issue.  The Incubator relationship is that the same mandatory
> requirement for security that needs to be imposed on Maven can also  
> address
> the long-standing requirement that users be aware of and accepting  
> that they
> are using Incubator artifacts.

You won't be imposing anything on Maven and what we do with central or  
what security measures we do, or do not implement. Policy here is, of  
course, of the IPMC. Turn on/off repositories as you see fit. It's got  
nothing to do with the way Maven users access the central repository.  
If you don't want to participate directly making artifacts available  
then don't.

We're not fighting you, and technically we've made it easier for folks  
to check if there are signatures but lots of projects don't and that's  
not Maven's problem, it's not Ivy's problem, it's not BuildR's problem.

>> Oleg, who is responsible for implementing Mercury which has
>> full PGP support, has this functionality working on all branches of
>> Maven but the option to use it will be in the hands of the user. As
>> the quality and tools for supporting PGP get better, and more people
>> use them we will again take a look at the default behavior.
>>> Did you not see what just happened to Redhat with respect to
>>> Fedora?  They take artifact security seriously.  For a long time,
>>> it has appeared that Maven does not, but I am hopeful now that
>>> mandatory authorization will appear, so that I and others will not
>>> have to increase lobbying efforts to have the Maven repository
>>> closed, at least with respect to ASF projects.
>> How are you going to stop people from [creating their own artifacts  
>> and
> repositories] Noel when its their right?
> We don't have to.  We can simply mandate that every ASF project sign  
> their
> artifacts and charge the Maven PMC with enforcing it.

The first part is already mandated, or I certainly thought it was. The  
second part of that is not going to happen.

> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical,  
> attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years.  Yes, it may  
> be a
> bit painful to make the change.  On the other hand, imagine the fun  
> when
> someone puts a nice bit of malware into the security-free zone known  
> as the
> Maven repository.  Not only do I agree with Henning's assessment, I  
> think
> that network administrators should block the Maven repository at their
> firewalls.

Tell them that. See what they do.

> 	--- Noel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Jason van Zyl
Founder,  Apache Maven
jason at sonatype dot com

We all have problems. How we deal with them is a measure of our worth.

  -- Unknown

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message