secure distributions was: jar signing

[Thomas Koch <th...@koch.ro>]

Hi,

I'm very happy to see the topic of secure binaries raised. I'm very worried 
that it's virtually impossible to do java development without compromising the 
security of every machine involved.[1]

Since I come from Debian I thought some background about the security model of 
the Debian archive could be of interest:

http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-
pack-sign
http://www.cryptnet.net/fdp/crypto/strong_distro.html

Some bulletpoints (disclaimer: I'm not an expert in this.):

* Debian Maintainers upload source code, which gets built by the archive.
* Maintainers need to have their GPG key in the Debian keyring to have upload 
permission.
* Every archive contains a signed list of the hashes of all packages included
* The archive key is renewed every year.
* The Debian process could of course still be improved. (Require two 
Maintainers to sign an upload?)

[1] Don't tell me that you can set up your own maven repo. - You're still not 
going to build everything from source and reviewing the source code of all 
dependencies and eclipse/maven plugins.

Best regards,

Thomas Koch, http://www.koch.ro