You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Thomas Koch <th...@koch.ro> on 2011/09/16 09:40:19 UTC
secure distributions was: jar signing
Hi,
I'm very happy to see the topic of secure binaries raised. I'm very worried
that it's virtually impossible to do java development without compromising the
security of every machine involved.[1]
Since I come from Debian I thought some background about the security model of
the Debian archive could be of interest:
http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-
pack-sign
http://www.cryptnet.net/fdp/crypto/strong_distro.html
Some bulletpoints (disclaimer: I'm not an expert in this.):
* Debian Maintainers upload source code, which gets built by the archive.
* Maintainers need to have their GPG key in the Debian keyring to have upload
permission.
* Every archive contains a signed list of the hashes of all packages included
* The archive key is renewed every year.
* The Debian process could of course still be improved. (Require two
Maintainers to sign an upload?)
[1] Don't tell me that you can set up your own maven repo. - You're still not
going to build everything from source and reviewing the source code of all
dependencies and eclipse/maven plugins.
Best regards,
Thomas Koch, http://www.koch.ro