direct control by Maven while downloading dependencies seems ideal, but I fear it's hard to have normal users aware of keys and manage it while building their artifacts
I imagine something useful would be some report too, to display the status of actual dependencies: imagine adding key reference to every dependency in dependencies report [1] Anybody interested in coding such improvement? or any other idea? Definitely, seems the right moment to improve users awareness about security: IMHO, people will discover that security isn't automagic and will require involvement to decide what to trust and what to not trust, and that trust is a personal choice Regards, Hervé [1] http://maven.apache.org/plugins/maven-dependency-plugin/dependencies.html Le mardi 29 juillet 2014 13:31:30 Brett Porter a écrit : > On 29 Jul 2014, at 12:14 pm, Mark Derricutt <[email protected]> wrote: > > Hey all, > > > > Just been reading [1] after it was mentioned in both #scala and #clojure > > on irc.freenode.org now, is there anything that can be done to alleviate > > some of these issues? > > > > oss.sonatype.org now requires everything to be GPG signed before being > > uploaded to central, but I'm not sure about any of the other means of > > getting artifacts uploaded. > > > > Are there any plugins out there to verify GPG signings of dependencies? > > If anyone is interested in picking up work on this, I pulled some things > together some years ago: > http://docs.codehaus.org/display/MAVEN/Repository+Security > > There was a working prototype against Maven 2, but for various reasons > didn't get further than that. > > - Brett > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
