There is a pretty nice proposal on
http://people.apache.org/~henkp/trust/, however this will again take a
piece of "freedom of doing software at Apache" away and introduce some
administrative overhead that all projects must implement and manage.
Formalizing the signing of our releases would be a huge step towards a
reliable validation for the Apache software releases. It still does not
help you with third-party releases, though.
I don't know how many artifacts are on repo. I'd guess hundreds,
probably thousands. They have all been uploaded automatically or
semi-automatically. Because validating them by hand from the bazillion
of different sources is very difficult.
I spot a startup chance here for a company offering a trusted, validated
repository where all uploaded artifacts have been verified by the
uploaders. Any VCs around? I am bored and have time to write a business
plan ;-)
IMHO: Anyone who is using maven for commercial software development and
does not run a controlled, in-house repository that is actively managed
and maintained is IMHO in for big, ugly surprises in the long run.
Ciao
Henning
On Wed, 2008-09-24 at 13:36 +0800, Niclas Hedhman wrote:
> On Wed, Sep 24, 2008 at 1:20 PM, Henning Schmiedehausen
> <[EMAIL PROTECTED]>wrote:
> I enjoy your scenarios...
>
>
> > And again, there is no "high nineties" security. Your solution is either
> > secure or it is not.
>
>
> For accuracy; This is not true either. AFAIK, no security solution is
> totally secure. You will be left with a number game.
>
>
> But I agree that this is a complex and non-trivial problem. Right now, we
> just say; "No Security, check manually." and to users who don't (like
> myself) we just ask them to blame themselves for being sloppy. Fair Enough.
> BUT, somehow I feel that a bit of "help" could be in order, and I think that
> if it is not portrayed as a "secure" and that the manual check should still
> be done by the security conscious, then why not try to provide that? How can
> a step in the right direction be bad?
>
>
> Cheers
> Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
