incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: status of PGP support in Maven
Date Fri, 03 Oct 2008 16:31:30 GMT
Jason van Zyl wrote:

> Noel J. Bergman wrote:
> > We don't need for you to implement any "policy" other than the
> > requirement for users to approve authorized signing keys.  You
> > simply need to  implement artifact signing and mandatory
> > authorization, which is why I've moved this to the thread Brett
> > started for purposes of discussing signing.

> You are not the Incubator PMC

And where did I imply otherwise??

> and what the Incubator says they require is far from clear. Disclaimers,
> notices, PGP keys. No one  knows what anyone wants here. No one
> can follow these discussions.

That's rather over the top.  The disclaimer and notice requirements are well
documented and have been for a long time.  The PGP key situation is under
discussion, likely to be resolved by the Infrastructure Team, and will be an
ASF-wide issue.  The Incubator relationship is that the same mandatory
requirement for security that needs to be imposed on Maven can also address
the long-standing requirement that users be aware of and accepting that they
are using Incubator artifacts.

> Oleg, who is responsible for implementing Mercury which has
> full PGP support, has this functionality working on all branches of
> Maven but the option to use it will be in the hands of the user. As
> the quality and tools for supporting PGP get better, and more people
> use them we will again take a look at the default behavior.

> > Did you not see what just happened to Redhat with respect to
> > Fedora?  They take artifact security seriously.  For a long time,
> > it has appeared that Maven does not, but I am hopeful now that
> > mandatory authorization will appear, so that I and others will not
> > have to increase lobbying efforts to have the Maven repository
> > closed, at least with respect to ASF projects.

> How are you going to stop people from [creating their own artifacts and
repositories] Noel when its their right?

We don't have to.  We can simply mandate that every ASF project sign their
artifacts and charge the Maven PMC with enforcing it.

And perhaps now you start to gain a glimer of the depth of the problem
created by Maven's irresponsible, unconscionable, lackadaisical, attitude
towards security, despite other repository exemplars (e.g., linux
distributions), having had security in place for years.  Yes, it may be a
bit painful to make the change.  On the other hand, imagine the fun when
someone puts a nice bit of malware into the security-free zone known as the
Maven repository.  Not only do I agree with Henning's assessment, I think
that network administrators should block the Maven repository at their

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message