RE: status of PGP support in Maven

Jason van Zyl wrote: > Noel, your comments are completely out of whack with reality. You are > asking Maven to enforce something that no one does. Pretty much > almost no one. > Checking PGP signatures is obviously not something the vast majority of people do. Really? Try following the instruct

RE: status of PGP support in Maven

Niklas Gustavsson wrote: > Is the idea to do this in the POM or similar? Having something like: Can we please move this discussion to [EMAIL PROTECTED] or [EMAIL PROTECTED] --- Noel - To unsubscribe, e-mail: [EMAIL PR

Re: status of PGP support in Maven

The current plugin stores the checksum in a checksum.txt file that sits alongside of the pom.xml in the source code. Doing it in separate file makes adding new checksums a little easier, plus I'm not sure it would be valid to extend the pom XML schema in the way you described. Another reason that

Re: status of PGP support in Maven

On Tue, Oct 7, 2008 at 3:21 PM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > Because we would be including the checksum in the source code of the > project that needs the dependency. Is the idea to do this in the POM or similar? Having something like: commons-lang co

Re: status of PGP support in Maven

On Mon, Oct 6, 2008 at 11:39 PM, Niclas Hedhman <[EMAIL PROTECTED]> wrote: > On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> There are maven plugins that can validate the checksums of 3rd party >> dependencies. > > Uhhh... Call me stupid, but how can checksum solve an

Re: status of PGP support in Maven

Niclas Hedhman wrote: > On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> There are maven plugins that can validate the checksums of 3rd party >> dependencies. > > Uhhh... Call me stupid, but how can checksum solve anything other than > assuring that the download work

Re: status of PGP support in Maven

On 6-Oct-08, at 10:21 AM, Noel J. Bergman wrote: Niclas Hedhman wrote: Being in the camp "I hate Maven too" I hate Maven's lack of authentication, the potential for widespread damage, and am immensely frustrated by their *years* of willfully negligent handling thereof. I would like t

Re: status of PGP support in Maven

On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > There are maven plugins that can validate the checksums of 3rd party > dependencies. Uhhh... Call me stupid, but how can checksum solve anything other than assuring that the download worked?? AFAIK, Maven does not pick up

RE: status of PGP support in Maven

On Mon, 2008-10-06 at 10:21 -0400, Noel J. Bergman wrote: > Henning Schmiedehausen wrote: > > > Noel J. Bergman wrote: > > > We don't have to. We can simply mandate that every ASF project sign > their > > > artifacts and charge the Maven PMC with enforcing it. > > > No. The Maven PMC is charged

Re: status of PGP support in Maven

Note that problem A and B both occur at manual steps in the build/development process. Just wanted to point that out to folks who complain that maven is insecure because it downloads stuff automatically. With checksums, as long as the manual steps are secure, automated bits should be secure too.

RE: status of PGP support in Maven

Niclas Hedhman wrote: > Being in the camp "I hate Maven too" I hate Maven's lack of authentication, the potential for widespread damage, and am immensely frustrated by their *years* of willfully negligent handling thereof. > I would like to swap Noel's statement around and ask; Why doesn't > sec

RE: status of PGP support in Maven

Henning Schmiedehausen wrote: > Noel J. Bergman wrote: > > We don't have to. We can simply mandate that every ASF project sign their > > artifacts and charge the Maven PMC with enforcing it. > No. The Maven PMC is charged with developing software for the Apache > Maven project. You misunderstan

Re: status of PGP support in Maven

On Fri, Oct 3, 2008 at 8:01 PM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Fri, 2008-10-03 at 11:20 -0400, Noel J. Bergman wrote: >> Henning Schmiedehausen wrote: >> >> > There is a pretty nice proposal on >> > http://people.apache.org/~henkp/trust/, however this will again take a >> >

Re: status of PGP support in Maven

On Mon, Oct 6, 2008 at 10:45 AM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote: >> >> We don't have to. We can simply mandate that every ASF project sign their >> artifacts and charge the Maven PMC with enforcing it. > > No. The Maven

RE: status of PGP support in Maven

On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote: > > We don't have to. We can simply mandate that every ASF project sign their > artifacts and charge the Maven PMC with enforcing it. No. The Maven PMC is charged with developing software for the Apache Maven project. If we really want to

Re: status of PGP support in Maven

On Fri, Oct 3, 2008 at 10:02 PM, sebb <[EMAIL PROTECTED]> wrote: > On 03/10/2008, Bruce Snyder <[EMAIL PROTECTED]> wrote: >> On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: >> >> > Moved to the thread it belongs in ... >> > >> > Jason van Zyl wrote: >> >> Noel J. Bergm

RE: status of PGP support in Maven

On Fri, 2008-10-03 at 11:20 -0400, Noel J. Bergman wrote: > Henning Schmiedehausen wrote: > > > There is a pretty nice proposal on > > http://people.apache.org/~henkp/trust/, however this will again take a > > piece of "freedom of doing software at Apache" away and introduce some > > administrativ

Re: status of PGP support in Maven

On 03/10/2008, Bruce Snyder <[EMAIL PROTECTED]> wrote: > On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > > > Moved to the thread it belongs in ... > > > > Jason van Zyl wrote: > >> Noel J. Bergman wrote: > >> > Emmanuel Lecharny wrote: > Better a bad decision

Re: status of PGP support in Maven

On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > Moved to the thread it belongs in ... > > Jason van Zyl wrote: >> Noel J. Bergman wrote: >> > Emmanuel Lecharny wrote: Better a bad decision than no decision, otherwise, soon, nobody will vote anymore... >>> Not

Re: status of PGP support in Maven

Hi, On Fri, Oct 3, 2008 at 4:50 PM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > We don't need for you to implement any "policy" other than the requirement > for users to approve authorized signing keys. You simply need to implement > artifact signing and mandatory authorization, which is why I'v

Re: status of PGP support in Maven

On 03/10/2008, Brian E. Fox <[EMAIL PROTECTED]> wrote: > > >We don't have to. We can simply mandate that every ASF project sign > their > >artifacts and charge the Maven PMC with enforcing it. > > > And are you going to lobby FireFox and Microsoft to enforce in their > browsers? Microsoft alr

RE: status of PGP support in Maven

>We don't have to. We can simply mandate that every ASF project sign their >artifacts and charge the Maven PMC with enforcing it. And are you going to lobby FireFox and Microsoft to enforce in their browsers? Seriously why is this Maven's problem simply because it downloads it when you can't enf

Re: status of PGP support in Maven

On 3-Oct-08, at 12:31 PM, Noel J. Bergman wrote: Jason van Zyl wrote: Noel J. Bergman wrote: We don't need for you to implement any "policy" other than the requirement for users to approve authorized signing keys. You simply need to implement artifact signing and mandatory authorization, w

Re: status of PGP support in Maven

On Fri, Oct 3, 2008 at 5:31 PM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > Jason van Zyl wrote: > >> Noel J. Bergman wrote: >> > Did you not see what just happened to Redhat with respect to >> > Fedora? They take artifact security seriously. For a long time, >> > it has appeared that Maven d

Re: status of PGP support in Maven

On Sat, Sep 20, 2008 at 6:08 PM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote: >> On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz >> <[EMAIL PROTECTED]> wrote: >> > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <[EMAIL PROTEC

RE: status of PGP support in Maven

Jason van Zyl wrote: > Noel J. Bergman wrote: > > We don't need for you to implement any "policy" other than the > > requirement for users to approve authorized signing keys. You > > simply need to implement artifact signing and mandatory > > authorization, which is why I've moved this to the th

Re: status of PGP support in Maven

On 3-Oct-08, at 10:50 AM, Noel J. Bergman wrote: Moved to the thread it belongs in ... Jason van Zyl wrote: Noel J. Bergman wrote: Emmanuel Lecharny wrote: Better a bad decision than no decision, otherwise, soon, nobody will vote anymore... Not really. Consider that there appears to be

RE: status of PGP support in Maven

Hiram wrote: > a source build like Apache ServiceMix depends on hundreds of > third party dependencies.. so an end user would need to end up > trusting LOTs different signatures to get ServiceMix to build. > It would be easier if the end user could just trust the Apache source > distro and also tr

RE: status of PGP support in Maven

Henning Schmiedehausen wrote: > There is a pretty nice proposal on > http://people.apache.org/~henkp/trust/, however this will again take a > piece of "freedom of doing software at Apache" away and introduce some > administrative overhead that all projects must implement and manage. But, as you s

RE: status of PGP support in Maven

> The sources you build come either from svn or from a signed > release package. We are concerned only with the latter, not what people do with code taken directly from our SVN repository. --- Noel - To unsubscribe, e-

RE: status of PGP support in Maven

Brett Porter wrote: > Currently, it has checking turned on by default, but that isn't going to be > a reasonable setting for some releases to come until the signatures in the > repository are cleaned up. Why not enforce checking, but provide the ability for users to manually approve unsigned arti

RE: status of PGP support in Maven

> Something else that needs to be considered is what happens if > someone's private key in the web of trust gets compromised? Did you see what happened with Fedora last week (or two weeks ago at this point)? They had to close down their repository system and re-issue new, re-signed, artifacts.

re: status of PGP support in Maven

Moved to the thread it belongs in ... Jason van Zyl wrote: > Noel J. Bergman wrote: > > Emmanuel Lecharny wrote: >>> Better a bad decision than no decision, otherwise, soon, nobody will >>> vote anymore... >> Not really. Consider that there appears to be a clear consensus >> that if Maven were to

Re: Key signing practicalities Was: status of PGP support in Maven

Hi Janne, I will be traveling to Helsinki within the next 6 months (probably). If you're on tripit you can watch for my trip (in case I forget for some reason to let you know). Craig On Sep 23, 2008, at 11:36 PM, Janne Jalkanen wrote: So you assume that that www.apache.org can not be hac

Re: status of PGP support in Maven

William A. Rowe, Jr. wrote: > > The bigger problem is that you appear to be arguing against solving the > problem rather than offering solutions, and I recall some have suggested > that this thread should die already. Maybe time to take this to maven > where it belongs? I reckon that it is beyon

Re: status of PGP support in Maven

Paul Querna wrote: > > Open an infrastructure JIRA ticket and I'll figure out getting https:// > on www.apache.org sooner or later. Good thought. https://issues.apache.org/jira/browse/INFRA-1737 - To unsubscribe, e-mail: [EMAIL

Re: status of PGP support in Maven

William A. Rowe, Jr. wrote: Henning Schmiedehausen wrote: So you assume that that www.apache.org can not be hacked? What if a signing key *IS* in KEYS but not signed by anyone (because the developer has never attended an Apache key signing event)? No, I answered your question. W.r.t. www.apac

Re: status of PGP support in Maven

On Sep 24, 2008, at 3:44 PM, Hiram Chirino wrote: On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote: On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote: On 22/09/2008, Hiram Chirino <[EMAIL

Re: status of PGP support in Maven

On Wed, Sep 24, 2008 at 1:27 AM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote: >> On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote: >> > On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> >> The only reason I sugg

Re: status of PGP support in Maven

On Wed, Sep 24, 2008 at 1:20 AM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Mon, 2008-09-22 at 09:34 -0400, Hiram Chirino wrote: >> The only reason I suggested including the sigs in the source distro is >> because a source build like Apache ServiceMix depends on hundreds of >> third par

Re: Key signing practicalities Was: status of PGP support in Maven

On Wed, Sep 24, 2008 at 2:36 PM, Janne Jalkanen <[EMAIL PROTECTED]>wrote: > So you assume that that www.apache.org can not be hacked? What if a >> signing key *IS* in KEYS but not signed by anyone (because the developer >> has never attended an Apache key signing event)? >> > > Which reminds me -

Re: Key signing practicalities Was: status of PGP support in Maven

Janne Jalkanen wrote: > > > >So you assume that that www.apache.org can not be hacked? What if a > >signing key *IS* in KEYS but not signed by anyone (because the > >developer > >has never attended an Apache key signing event)? > > Which reminds me - if one does not attend an Apache key signing

Re: Key signing practicalities Was: status of PGP support in Maven

Hi, On Wed, Sep 24, 2008 at 8:36 AM, Janne Jalkanen <[EMAIL PROTECTED]> wrote: > Any people near Helsinki, Finland who are willing to have a coffee and sign > my key? ;-) I'll be in Helsinki for two weeks after the ApacheCon US. BR, Jukka Zitting ---

Key signing practicalities Was: status of PGP support in Maven

So you assume that that www.apache.org can not be hacked? What if a signing key *IS* in KEYS but not signed by anyone (because the developer has never attended an Apache key signing event)? Which reminds me - if one does not attend an Apache key signing event (which tend to be in faraway co

Re: status of PGP support in Maven

Henning Schmiedehausen wrote: > So you assume that that www.apache.org can not be hacked? What if a > signing key *IS* in KEYS but not signed by anyone (because the developer > has never attended an Apache key signing event)? No, I answered your question. W.r.t. www.apache.org/dist/{tlp}/KEYS, we

Re: status of PGP support in Maven

On Wed, Sep 24, 2008 at 2:02 PM, Henning Schmiedehausen <[EMAIL PROTECTED]>wrote: > There is a pretty nice proposal on > http://people.apache.org/~henkp/trust/, > however this will again take a > piece of "freedom of doing software at Apache" away and intr

Re: status of PGP support in Maven

There is a pretty nice proposal on http://people.apache.org/~henkp/trust/, however this will again take a piece of "freedom of doing software at Apache" away and introduce some administrative overhead that all projects must implement and manage. Formalizing the signing of our releases would be a h

Re: status of PGP support in Maven

So you assume that that www.apache.org can not be hacked? What if a signing key *IS* in KEYS but not signed by anyone (because the developer has never attended an Apache key signing event)? Ciao Henning On Wed, 2008-09-24 at 00:36 -0500, William A. Rowe, Jr. wrote: > Henni

Re: status of PGP support in Maven

Henning Schmiedehausen wrote: > > How do you validate that the pub key presented to you is genuine? Every project worth it's salt has a www.apache.org/dist/{tlp}/KEYS file which contain that project's contributors signatures, countersigned or not. Ideally, they are extensively countersigned. B

Re: status of PGP support in Maven

On Wed, Sep 24, 2008 at 1:20 PM, Henning Schmiedehausen <[EMAIL PROTECTED]>wrote: I enjoy your scenarios... > And again, there is no "high nineties" security. Your solution is either > secure or it is not. For accuracy; This is not true either. AFAIK, no security solution is totally secure. You

Re: status of PGP support in Maven

On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote: > On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote: > > On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> The only reason I suggested including the sigs in the source distro is > >> because a source build like Apach

Re: status of PGP support in Maven

On Mon, 2008-09-22 at 09:34 -0400, Hiram Chirino wrote: > The only reason I suggested including the sigs in the source distro is > because a source build like Apache ServiceMix depends on hundreds of > third party dependencies.. so an end user would need to end up Yes. Now you are getting closer.

Re: status of PGP support in Maven

On 21/09/2008, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > > On Sat, 2008-09-20 at 19:52 +0200, Jukka Zitting wrote: > > HI, > > > > On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen > > <[EMAIL PROTECTED]> wrote: > > > Hiram suggested to put the signatures into the source, whic

Re: status of PGP support in Maven

On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: > On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote: > > On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> The only reason I suggested including the sigs in the source distro is > >> because a source build like Ap

Re: status of PGP support in Maven

On Sat, 2008-09-20 at 19:52 +0200, Jukka Zitting wrote: > HI, > > On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen > <[EMAIL PROTECTED]> wrote: > > Hiram suggested to put the signatures into the source, which in turn is > > also distributed from the repo. > > It's not. The sources you bui

Re: status of PGP support in Maven

On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote: > On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> The only reason I suggested including the sigs in the source distro is >> because a source build like Apache ServiceMix depends on hundreds of >> third party dependencies

Re: status of PGP support in Maven

On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: > The only reason I suggested including the sigs in the source distro is > because a source build like Apache ServiceMix depends on hundreds of > third party dependencies.. so an end user would need to end up > trusting LOTs different signa

Re: status of PGP support in Maven

Eclipse does something like this, doesn't it? When you install a plugin, it asks you to accept the license terms for all the stuff that's being imported. Couldn't maven do something similar? On Mon, Sep 22, 2008 at 9:34 AM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > The only reason I suggested i

Re: status of PGP support in Maven

The only reason I suggested including the sigs in the source distro is because a source build like Apache ServiceMix depends on hundreds of third party dependencies.. so an end user would need to end up trusting LOTs different signatures to get ServiceMix to build. It would be easier if the end us

Re: status of PGP support in Maven

HI, On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > Hiram suggested to put the signatures into the source, which in turn is > also distributed from the repo. It's not. The sources you build come either from svn or from a signed release package. BR, Jukka Zit

Re: status of PGP support in Maven

On Sat, 2008-09-20 at 10:08 +0100, Robert Burrell Donkin wrote: > On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz > <[EMAIL PROTECTED]> wrote: > > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> How about we include the signatures in the source distros? That way >

Re: status of PGP support in Maven

On Fri, Sep 19, 2008 at 6:11 PM, Justin Erenkrantz <[EMAIL PROTECTED]> wrote: > On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> How about we include the signatures in the source distros? That way >> if you trust your source, then you can trust the dependencies it >> do

Re: status of PGP support in Maven

On Fri, Sep 19, 2008 at 6:12 AM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > How about we include the signatures in the source distros? That way > if you trust your source, then you can trust the dependencies it > downloads. Eww. That'd be a giant gaping security hole. -- justin ---

Re: status of PGP support in Maven

How about we include the signatures in the source distros? That way if you trust your source, then you can trust the dependencies it downloads. On Thu, Sep 18, 2008 at 12:22 PM, Craig L Russell <[EMAIL PROTECTED]> wrote: > > On Sep 17, 2008, at 5:32 PM, Henning Schmiedehausen wrote: > >> The only

Re: status of PGP support in Maven

On Sep 17, 2008, at 5:32 PM, Henning Schmiedehausen wrote: The only way around that I can see right away in a heavily mirrored system, is to pull the signatures (and probably even the checksums) from central all the time. Which represents a single point of failure and a non-scaling element.

Re: status of PGP support in Maven

Gilles Scokart wrote: 2008/9/15 William A. Rowe, Jr. <[EMAIL PROTECTED]>: Brett Porter wrote: For the releases to be identified as from the incubator, they'll need to be signed solely by "the incubator". Did you want to elaborate on how you anticipated that set up working? With PGP it's a web

Re: status of PGP support in Maven

2008/9/15 William A. Rowe, Jr. <[EMAIL PROTECTED]>: > Brett Porter wrote: >> >> For the releases to be identified as from the incubator, they'll need to >> be >> signed solely by "the incubator". Did you want to elaborate on how you >> anticipated that set up working? > > With PGP it's a web of tru

Re: status of PGP support in Maven

On Tue, 2008-09-16 at 01:02 +1100, Brett Porter wrote: [...] > Currently, it has checking turned on by default, but that isn't going to be > a reasonable setting for some releases to come until the signatures in the > repository are cleaned up. At the moment I've populated unsigned artifacts > wit

Re: status of PGP support in Maven

Something else that needs to be considered is what happens if someone's private key in the web of trust gets compromised? Once compromised. malicious releases could get re-rolled, and deployed. I think GPG would be good to validate an initial dependency/checksum for an artifact, but after that fut