It would be nice if GeoServer could host SHA hashes and/or GPG
signatures on geoserver.org for each release. That is a fairly standard
practice, and would go a long way to verifying the integrity of
downloaded artifacts.
Thanks,
Emilio
On 10/7/20 10:42 AM, Ian Turton wrote:
The only way that you could in good conscience claim to have a trusted
build to those standards is to maintain your own clone of the project
locally and build directly from that using the commit number specified
in the GeoTools, GeoWebCache and GeoServer release notes. Obviously,
you'll want to check all of the code and the commits that have been
made to it since the last release to make sure nothing malicious has
been added to it. And don't forget to check all the dependencies we
build on top of as anyone of them could contain an issue too. If you
do find anything please use our responsible disclosure procedure to
let us know so we can apply your fix to benefit everyone else.
I guess it depends on how much paranoia your company wants to pay for.
Ian
On Wed, 7 Oct 2020 at 15:07, galebellego <[email protected]
<mailto:[email protected]>> wrote:
Hi,
I use and deploy geoserver (through the war file) within a company
that has
high (and mostly legitimate) concerns about security.
Currently, geoserver stable / maintenance / .. versions can only be
downloaded through *SourceForge*.
I know that, those latest 4 years, SF made great effort toward
reliability,
especially when they decided to terminate the DevShare program.
Unfortunately the trust here is hard to build back, and it's still
too soon
to be allowed to use SF to download any kind of artefact for
production
purpose.
Alternately, I could go to
https://build.geoserver.org/geoserver/2.17.x/..
and download a SNAPSHOT, but although the URL is trusted, I would
like to be
able to choose a specific version (for traceability purpose), and
not a
SNAPSHOT version.
Thus, I am wondering if there is safe / trusted place where I
could download
some specific stable release of geoserver?
-----
Gaël LB
--
Sent from:
http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Ian Turton
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
