incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <>
Subject Re: Complications with Gradle wrapped projects and source releases (Samza, DataFu, Aurora)
Date Fri, 13 Jun 2014 18:14:25 GMT
On 10 June 2014 16:20, Marvin Humphrey <> wrote:

> One fundamental problem with compiled deps is that unlike source code, they
> cannot be reviewed by a PMC -- so they are potential trojan horses.  Maybe
> it's possible to address that specific concern by compiling an ASF
> whitelist
> of individual jar files whose provenance can be guaranteed and whose
> identity
> is verified via PGP prior to committing?

true, but who does a transitive validation of all mvn/ivy dependencies,
validating the checksums from an HTTPS server while pulling them down from
a normal HTTP link. Were I to perform a MITM intercept of maven central
DNS/GETs at something like apachecon, I'd probably have everyone's
password-less ssh keys within 48 hours.

Speaking of which  12 days for your apachecon EU submission...


NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message