ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <>
Subject Re: validating content in Maven repositories
Date Tue, 26 Oct 2004 05:56:37 GMT
This is in addition to Conor's remarks.

On Fri, 22 Oct 2004, Steve Loughran <> wrote:

> The only way to secure it is one of
> 1. checksums to live on  an http server you trust
> 2. things to be signed by a CA you trust. 

things PGP signed by somebody you trust (or can build a chain of trust
to). has Java APIs to PGP IIRC.

> Also, can/should we declare ourselves a CA and sign all our ant
> jars.

I think we already have an ASF CA we used to create the cerificate for
https access to the Subversion repo.  I may be wrong, though.

Setting up a "real" CA is under active consideration, we even already
have some infrastructure pieces for it in Ben Laurie's bunker.  We
could create certificates for signing the jars with them.

Personally I'm happy with PGP.  A CA in the end has similar trust
issues as a PGP key.  Why should I trust the CA more than Antoine's or
Magesh's PGP key?

We certainly need a better web of trust.  As many committers (or users
for that matter) as possible should create PGP keys and use every
opportunity to cross sign the keys of people they meet.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message