incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: status of PGP support in Maven
Date Mon, 06 Oct 2008 14:24:49 GMT
Note that problem A and B both occur at manual steps in the
build/development process.
Just wanted to point that out to folks who complain that maven is
insecure because it downloads stuff automatically.

With checksums, as long as the manual steps are secure, automated bits
should be secure too.


> There are maven plugins that can validate the checksums of 3rd party
> dependencies.  Works well as long as:
> A) You can trust that your apache-baz-1.0 source has not been tampered with.
> B) The dependency had not been tampered with at the time that the
> dependency was first added to the build.  (Since that's when the
> expected checksum is calculated)
> Problem A: is universal to all builds at apache even if it's a maven
> based or make based build.  I guess this is what the GPG discussion is
> about.
> Problem B: Could be further reduced if the 3rd party used some type
> signing to help the apache developers validate that the 3rd party
> artifact is indeed authentic.
> If dependency checksum validation was encouraged by all our source
> builds, I think Problem B would become even less of a problem because
> you would get a network effect between all the source builds.  As more
> more projects add a 3rd party dependency validated by a checksum, it
> becomes harder to exploit that 3rd party dependency as the artifact
> checksum gets checked by more and more builds.  Tampering with the
> artifact would result some builds builds breaking and folks
> investigating the tampering.  Therefore the most effective way to
> tamper with a 3rd party artifact would be to do it when the 3rd party
> artifact first gets deployed.  So in effect we reduce the
> vulnerability window that exploits are effective in, which I think
> helps.
> --
> Regards,
> Hiram
> Blog:
> Open Source SOA



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message