incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 18:39:47 GMT
On Mon, Jun 2, 2008 at 7:29 PM, William A. Rowe, Jr.
<> wrote:
> Noel J. Bergman wrote:
>> Gilles Scokart wrote:
>>> Noel J. Bergman:
>>>> Implement that, and we're fine.  We will
>>>> require Incubator artifacts to be signed by a designated key available
>> to
>>>> the PMC, and once a user has acknowledged that they accept such
>> Incubator
>>>> signed artifacts, maven can do what it wants with them.
>>>       --- Noel
>>> Is that really possible?
>> Very.
> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust.  This is what gpg is
> good at.

the short answer is not quite (trust models are too different). my
conclusion was that meta-data signed by a short list of keys in the
WoT would be good enough.

>>> I remember some discussion on the infra list about an ASF wide signature.
>>> And the conclusion was always the same: how to secure a key that can be
>>> used by so many people.  If I remember well, some solution were proposed,
>>> but they were quiet heavy.  Do we have a solution for that?

there's no need to distribute a master key

>> There are various things that can be done with respect to key management.

key management is tricky

>> Personally, I would not go with a single key.  But maven ought to maintain
>> a
>> trust file, with options to accept files that are signed with a trusted
>> key,
>> or signed by a key that is signed by a trusted key, etc.

this is where the complexity lies. IIRC it was quite tough to come up
with a user friendly trust model that worked correctly.

>>  The first thing
>> that has to happen is for the Maven PMC to make security a priority.
> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months).  But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.

we don't actually require that the artifacts are signed: just
meta-data about the artifacts

- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message