incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: status of PGP support in Maven
Date Fri, 03 Oct 2008 17:02:35 GMT
On Fri, Oct 3, 2008 at 5:31 PM, Noel J. Bergman <> wrote:
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:


>> > Did you not see what just happened to Redhat with respect to
>> > Fedora?  They take artifact security seriously.  For a long time,
>> > it has appeared that Maven does not, but I am hopeful now that
>> > mandatory authorization will appear, so that I and others will not
>> > have to increase lobbying efforts to have the Maven repository
>> > closed, at least with respect to ASF projects.
>> How are you going to stop people from [creating their own artifacts and
> repositories] Noel when its their right?
> We don't have to.  We can simply mandate that every ASF project sign their
> artifacts and charge the Maven PMC with enforcing it.

sounds very reasonsable

> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years.

that's probably a little strong

many distros have only really addressed this in the last year or so,
and even then their solutions are far from perfect

IMO a combination of approaches is require to deliver good defense in
depth combining auditing, automatic signing, publication and wide
dissemination of results together with signatures by release managers.

this is also something that may well be best solved in a common forum.
it would be very useful to reach out to other organisations such as
fedora, debian, eclipse, etc which have similiar problems.

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message