On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
On Sat, May 31, 2008 at 3:42 AM, Brett Porter <[EMAIL PROTECTED]> wrote:2008/5/31 Brian E. Fox <[EMAIL PROTECTED]>:Can you elaborate more on what you mean here? I've been on the Maven PMCfor over a year now and this is the first I've heard of it. We do support signing of artifacts and all the maven releases aresigned. We obviously don't control all the other Apache projects in away to enforce that they sign their artifacts.Noel is referring to enforcing checking signatures, not signing them. I've had a proposal out there for some time which anyone is free tocomment on: http://docs.codehaus.org/display/MAVEN/Repository +SecurityThere hasn't been a lot of traction behind it so far. Ease of use, especially OOTB, is probably one of the main concerns.IMO this isn't really a maven issue: basic checks should be performed on all releases. i favour a private subversion repository with custom hooks for release publishing.
I think that maven basically changes the equation, since it is responsible for automatically downloading artifacts, and this feature is a huge usability win. I think that currently, usability trumps security.
Since maven automatically downloads artifacts, it's technically feasible for maven to verify the signatures of those artifacts and allow for control by the user over whether or not to trust the artifacts.
For example, "trust all unsigned", "trust all signed", "trust all signed in Apache WOT" might be reasonable policies declared by the user.
Craig
- robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Craig Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp!
smime.p7s
Description: S/MIME cryptographic signature
