incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <>
Subject Re: status of PGP support in Maven
Date Tue, 07 Oct 2008 03:42:21 GMT

On 6-Oct-08, at 10:21 AM, Noel J. Bergman wrote:

> Niclas Hedhman wrote:
>> Being in the camp "I hate Maven too"
> I hate Maven's lack of authentication, the potential for widespread  
> damage,
> and am immensely frustrated by their *years* of willfully negligent  
> handling
> thereof.
>> I would like to swap Noel's statement around and ask; Why doesn't
>> security concerned individuals participate in the Maven effort?
>> Lead by example and not by bashing...
> They have received constructive input for years.  They continue to  
> do so.
> Jason's comments appear to echo the old-school negligence that I'd  
> hoped the
> Maven PMC was at long last starting to be cured of.

Noel, your comments are completely out of whack with reality. You are  
asking Maven to enforce something that no one does. Pretty much almost  
no one.

Downloads from our own servers:


  ... almost all are zip's and [.tar].gz's (see extensions report)

    92.72%      .zip [Zip archives]
     2.10%      .gz [Gzip compressed files]
     2.05%      .tar.gz [Compressed archives]
    < 0.1%      .asc (not even listed)

Almost no one is validating PGP signatures. It's not that we couldn't  
in the past, we just had to choose to implement features that  
delivered what our users wanted. Checking PGP signatures is obviously  
not something the vast majority of people do. So pointing your finger  
at us and calling it negligence is not even remotely correct. The same  
goes the checksums which people also don't check but Maven does this  
automatically so we are, in fact, providing a greater degree of  
security to the average user. By default as a big warning message  
appears and you can optionally fail builds if the checksum fails.

After having a discussion with Henk about the nature of PGP usage and  
checksums I share his sentiments which he has allowed me to quote:

  -- In the past I have maintained that the most important reason to
     sign stuff is to protect the /ASF/ (as opposed to downloaders).
     People trust the ASF to detect malware (trojans etc) and react
     upon detection. For downloaders, a simple md5 check should be
     sufficient. The ASF should be as cautious/suspicious as the
     most cautious/suspicious downloader imaginable. Are we ?

  -- Another reason: one day some computer science class is going
     to compare various open-software centers (like the ASF) on
     how well such centers protect themselves against malware.
     The ASF should be examplary. Are we ?

When Mercury is integrated into Maven and people can optionally fail  
builds on failed PGP sig validation Maven will again provide a greater  
degree of security given that the practice of validating sigs is  
pretty much non-existent.

> 	--- Noel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Jason van Zyl
Founder,  Apache Maven
jason at sonatype dot com

Our achievements speak for themselves. What we have to keep track
of are our failures, discouragements and doubts. We tend to forget
the past difficulties, the many false starts, and the painful
groping. We see our past achievements as the end result of a
clean forward thrust, and our present difficulties as
signs of decline and decay.

  -- Eric Hoffer, Reflections on the Human Condition

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message