incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: status of PGP support in Maven
Date Fri, 03 Oct 2008 15:20:59 GMT
Hiram wrote:
> a source build like Apache ServiceMix depends on hundreds of
> third party dependencies.. so an end user would need to end up
> trusting LOTs different signatures to get ServiceMix to build.

> It would be easier if the end user could just trust the Apache source
> distro and also transitively trust the signatures that we trust for
> our dependencies.

A signature is a signed digest.

One way of addressing your issue would be to allow you to include your own
signatures (signed digests) for your downstream dependencies.  If I trust
your package, I will trust your signed digests, and therefore if the decoded
digests match the downstream artifact, that would be deemed OK in this

This would mean having to recheck artifacts for each dependent project,
since I cannot trust dependent D for project B just because I trusted it for
project A.  Project A might have been released specifically in order to have
me accept a trojan dependency.

This is off-the-cuff, and definitely subject to amendment if not outright
retraction if/when Henning et al shoot holes in it.  :-)

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message