On 03/10/2008, Bruce Snyder <[EMAIL PROTECTED]> wrote: > On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > > > Moved to the thread it belongs in ... > > > > Jason van Zyl wrote: > >> Noel J. Bergman wrote: > >> > Emmanuel Lecharny wrote: > >>>> Better a bad decision than no decision, otherwise, soon, nobody will > >>>> vote anymore... > >>> Not really. Consider that there appears to be a clear consensus > >>> that if Maven were to fix the download situation, requiring that users > >>> approve the user of Incubator artifacts, rather than transparently use > >>> them, many of the -1 would be +1. > > > >> That's unlikely to happen. We're not going to be implementing policy > >> enforcement for you. > > > > We don't need for you to implement any "policy" other than the requirement > > for users to approve authorized signing keys. You simply need to implement > > artifact signing and mandatory authorization, which is why I've moved this > > to the thread Brett started for purposes of discussing signing. > > > I'm trying to understand why authorization should be mandatory? To my > knowledge, only some of the Linux package management tools (apt, port, > rpm, yum) verify signatures by default and in the event of failure, > they allow you to continue without the key verification. > > Also, I've actually spoken to a number of folks about GPG verification > of artifacts over the last year and very few folks actually use this > today. > > > > Did you not see what just happened to Redhat with respect to Fedora? They > > take artifact security seriously. For a long time, it has appeared that > > Maven does not, but I am hopeful now that mandatory authorization will > > appear, so that I and others will not have to increase lobbying efforts to > > have the Maven repository closed, at least with respect to ASF projects. > > > Please explain what happened to RedHat with respect to Fedora. I'm not > familiar with the situation.
http://rtfa.net/2008/08/25/fedora-package-signing-server-compromise-crls-and-trust/ and http://rhn.redhat.com/errata/RHSA-2008-0855.html > Bruce > -- > perl -e 'print unpack("u30","D0G)[EMAIL > PROTECTED]&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*" > );' > > Apache ActiveMQ - http://activemq.org/ > Apache Camel - http://activemq.org/camel/ > Apache ServiceMix - http://servicemix.org/ > > Blog: http://bruceblog.org/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
