[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17531268#comment-17531268
]
Martin Monperrus commented on MNG-6026:
---------------------------------------
[~michael-o] thanks a lot that's very useful.
What's the timeline for model version 5?
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> -----------------------------------------------------------------------------------
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: Core
> Reporter: Florian Schmaus
> Priority: Major
> Labels: artifact-verification, security
>
> The origin of this feature request is the Stackoverflow question
> ["Verification of dependency authenticity in Maven POM based automated build
> systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO
> user requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its dependencies down to the very last
> transitive dependency. The Project Object Model (POM) needs to be extended by
> a <verification/> element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>4.0</version>
> </dependency>
> {code}
> h3. Hard dependencies
> For hard dependencies, <verfication/> could include the sha256sum of artifact
> and its POM file:
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>[4.0]</version>
> <verification>
> <checksum hash='sha-256'>
> <pom>[sha256 of junit pom file]</pom>
> <artifact>[sha256sum of artifact (junit.jar)]</artifact>
> </checksum>
> </verification>
> </dependency>
> {code}
> h3. Soft dependencies
> If soft. also called "ranged" or "dynamic", dependencies are used, then we
> could specify the public key (or multiple) of the keypair used to sign the
> artifacts
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>[4.0,4.5)</version>
> <verification>
> <openpgp>[secure fingerprint of OpenPGP key used to sign the junit
> artifact(s)]</openpgp>
> <!-- possible further 'openpgp' elements in case the artifacts in the
> specified version range where signed by multiple keys -->
> </verification>
> </dependency>
> {code}
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing this, but need guidance.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
