On Mon, Jun 2, 2008 at 7:29 PM, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > Noel J. Bergman wrote: >> >> Gilles Scokart wrote: >> >>> Noel J. Bergman: >>>> >>>> Implement that, and we're fine. We will >>>> require Incubator artifacts to be signed by a designated key available >> >> to >>>> >>>> the PMC, and once a user has acknowledged that they accept such >> >> Incubator >>>> >>>> signed artifacts, maven can do what it wants with them. >>> >>> --- Noel >> >>> Is that really possible? >> >> Very. > > Why is it not equally possible to validate against a short list of keys > (e.g. infra PMC members) and their immediate trust. This is what gpg is > good at.
the short answer is not quite (trust models are too different). my conclusion was that meta-data signed by a short list of keys in the WoT would be good enough. >>> I remember some discussion on the infra list about an ASF wide signature. >>> And the conclusion was always the same: how to secure a key that can be >>> used by so many people. If I remember well, some solution were proposed, >>> but they were quiet heavy. Do we have a solution for that? there's no need to distribute a master key >> There are various things that can be done with respect to key management. key management is tricky >> Personally, I would not go with a single key. But maven ought to maintain >> a >> trust file, with options to accept files that are signed with a trusted >> key, >> or signed by a key that is signed by a trusted key, etc. this is where the complexity lies. IIRC it was quite tough to come up with a user friendly trust model that worked correctly. >> The first thing >> that has to happen is for the Maven PMC to make security a priority. > > As far as signing jars, microsoft authenticode etc, Noel and I planned to > create such a service (although we've both been really busy in the past few > months). But it will always require that the artifacts are already signed > by someone in the ASF's web-of-trust via pgp. we don't actually require that the artifacts are signed: just meta-data about the artifacts - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
