incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: Complications with Gradle wrapped projects and source releases (Samza, DataFu, Aurora)
Date Fri, 13 Jun 2014 22:52:08 GMT
On Fri, Jun 13, 2014 at 11:14 AM, Steve Loughran <> wrote:
> On 10 June 2014 16:20, Marvin Humphrey <> wrote:
>> One fundamental problem with compiled deps is that unlike source code, they
>> cannot be reviewed by a PMC -- so they are potential trojan horses.  Maybe
>> it's possible to address that specific concern by compiling an ASF
>> whitelist of individual jar files whose provenance can be guaranteed and
>> whose identity is verified via PGP prior to committing?
> true, but who does a transitive validation of all mvn/ivy dependencies,
> validating the checksums from an HTTPS server while pulling them down from
> a normal HTTP link. Were I to perform a MITM intercept of maven central
> DNS/GETs at something like apachecon, I'd probably have everyone's
> password-less ssh keys within 48 hours.

If I'm understanding the Gradle situation right, the task at hand is more
limited: to get the Gradle wrapper alone into version control.  There seems to
be a closed set of files which we could build from source in a
controlled environment, sign with PGP keys, and archive somewhere.

Extrapolating out to arbitrary dependencies and arbitrary build systems is a
worthwhile exercise when considering the potential for org-certified
binaries -- is it feasible to assemble a collection of certified dependencies
and use those in conjunction with disposable build servers running offline to
compile releases securely?  But that's a much bigger topic.

Marvin Humphrey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message