You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by "Noel J. Bergman" <no...@devtech.com> on 2008/10/03 03:19:12 UTC
RE: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Emmanuel Lecharny wrote:
> Better a bad decision than no decision, otherwise, soon, nobody will
> vote anymore...
Not really. Consider that there appears to be a clear consensus that if
Maven were to fix the download situation, requiring that users approve the
user of Incubator artifacts, rather than transparently use them, many of
the -1 would be +1.
It appears that the Maven community is finally getting a clue, and we can
hope for a resolution, perhaps 6 months out or less if they don't falter.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Fri, Oct 3, 2008 at 10:02 PM, sebb <se...@gmail.com> wrote:
> On 03/10/2008, Bruce Snyder <br...@gmail.com> wrote:
>> On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <no...@devtech.com> wrote:
>>
>> > Moved to the thread it belongs in ...
>> >
>> > Jason van Zyl wrote:
>> >> Noel J. Bergman wrote:
>> >> > Emmanuel Lecharny wrote:
>> >>>> Better a bad decision than no decision, otherwise, soon, nobody will
>> >>>> vote anymore...
>> >>> Not really. Consider that there appears to be a clear consensus
>> >>> that if Maven were to fix the download situation, requiring that users
>> >>> approve the user of Incubator artifacts, rather than transparently use
>> >>> them, many of the -1 would be +1.
>> >
>> >> That's unlikely to happen. We're not going to be implementing policy
>> >> enforcement for you.
>> >
>> > We don't need for you to implement any "policy" other than the requirement
>> > for users to approve authorized signing keys. You simply need to implement
>> > artifact signing and mandatory authorization, which is why I've moved this
>> > to the thread Brett started for purposes of discussing signing.
>>
>>
>> I'm trying to understand why authorization should be mandatory? To my
>> knowledge, only some of the Linux package management tools (apt, port,
>> rpm, yum) verify signatures by default and in the event of failure,
>> they allow you to continue without the key verification.
>>
>> Also, I've actually spoken to a number of folks about GPG verification
>> of artifacts over the last year and very few folks actually use this
>> today.
GPG is very good for certain purposes. downstream packagers should
check signatures (and know how to do so safely) but for normal users,
checking SHA sums against the main site is probably better.
>> > Did you not see what just happened to Redhat with respect to Fedora? They
>> > take artifact security seriously. For a long time, it has appeared that
>> > Maven does not, but I am hopeful now that mandatory authorization will
>> > appear, so that I and others will not have to increase lobbying efforts to
>> > have the Maven repository closed, at least with respect to ASF projects.
>>
>>
>> Please explain what happened to RedHat with respect to Fedora. I'm not
>> familiar with the situation.
>
> http://rtfa.net/2008/08/25/fedora-package-signing-server-compromise-crls-and-trust/
>
> and
>
> http://rhn.redhat.com/errata/RHSA-2008-0855.html
silver bullets don't work :-)
single key, single point of failure, single compromise required
sounds like it was picked up by their auditing system, though
BTW the RAT auditing stuff seems to be working ok now for the
incubator releases. if anyone wants to extend auditing to other
projects, i'd be happy to help.
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by sebb <se...@gmail.com>.
On 03/10/2008, Bruce Snyder <br...@gmail.com> wrote:
> On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <no...@devtech.com> wrote:
>
> > Moved to the thread it belongs in ...
> >
> > Jason van Zyl wrote:
> >> Noel J. Bergman wrote:
> >> > Emmanuel Lecharny wrote:
> >>>> Better a bad decision than no decision, otherwise, soon, nobody will
> >>>> vote anymore...
> >>> Not really. Consider that there appears to be a clear consensus
> >>> that if Maven were to fix the download situation, requiring that users
> >>> approve the user of Incubator artifacts, rather than transparently use
> >>> them, many of the -1 would be +1.
> >
> >> That's unlikely to happen. We're not going to be implementing policy
> >> enforcement for you.
> >
> > We don't need for you to implement any "policy" other than the requirement
> > for users to approve authorized signing keys. You simply need to implement
> > artifact signing and mandatory authorization, which is why I've moved this
> > to the thread Brett started for purposes of discussing signing.
>
>
> I'm trying to understand why authorization should be mandatory? To my
> knowledge, only some of the Linux package management tools (apt, port,
> rpm, yum) verify signatures by default and in the event of failure,
> they allow you to continue without the key verification.
>
> Also, I've actually spoken to a number of folks about GPG verification
> of artifacts over the last year and very few folks actually use this
> today.
>
>
> > Did you not see what just happened to Redhat with respect to Fedora? They
> > take artifact security seriously. For a long time, it has appeared that
> > Maven does not, but I am hopeful now that mandatory authorization will
> > appear, so that I and others will not have to increase lobbying efforts to
> > have the Maven repository closed, at least with respect to ASF projects.
>
>
> Please explain what happened to RedHat with respect to Fedora. I'm not
> familiar with the situation.
http://rtfa.net/2008/08/25/fedora-package-signing-server-compromise-crls-and-trust/
and
http://rhn.redhat.com/errata/RHSA-2008-0855.html
> Bruce
> --
> perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
>
> Apache ActiveMQ - http://activemq.org/
> Apache Camel - http://activemq.org/camel/
> Apache ServiceMix - http://servicemix.org/
>
> Blog: http://bruceblog.org/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Bruce Snyder <br...@gmail.com>.
On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <no...@devtech.com> wrote:
> Moved to the thread it belongs in ...
>
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>> > Emmanuel Lecharny wrote:
>>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>>> vote anymore...
>>> Not really. Consider that there appears to be a clear consensus
>>> that if Maven were to fix the download situation, requiring that users
>>> approve the user of Incubator artifacts, rather than transparently use
>>> them, many of the -1 would be +1.
>
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
>
> We don't need for you to implement any "policy" other than the requirement
> for users to approve authorized signing keys. You simply need to implement
> artifact signing and mandatory authorization, which is why I've moved this
> to the thread Brett started for purposes of discussing signing.
I'm trying to understand why authorization should be mandatory? To my
knowledge, only some of the Linux package management tools (apt, port,
rpm, yum) verify signatures by default and in the event of failure,
they allow you to continue without the key verification.
Also, I've actually spoken to a number of folks about GPG verification
of artifacts over the last year and very few folks actually use this
today.
> Did you not see what just happened to Redhat with respect to Fedora? They
> take artifact security seriously. For a long time, it has appeared that
> Maven does not, but I am hopeful now that mandatory authorization will
> appear, so that I and others will not have to increase lobbying efforts to
> have the Maven repository closed, at least with respect to ASF projects.
Please explain what happened to RedHat with respect to Fedora. I'm not
familiar with the situation.
Bruce
--
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'
Apache ActiveMQ - http://activemq.org/
Apache Camel - http://activemq.org/camel/
Apache ServiceMix - http://servicemix.org/
Blog: http://bruceblog.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Fri, Oct 3, 2008 at 4:50 PM, Noel J. Bergman <no...@devtech.com> wrote:
> We don't need for you to implement any "policy" other than the requirement
> for users to approve authorized signing keys. You simply need to implement
> artifact signing and mandatory authorization, which is why I've moved this
> to the thread Brett started for purposes of discussing signing.
This part of the discussion IMHO doesn't belong here in the Incubator.
You want artifact signing and verification so you can enforce users to
explicitly acknowledge the use of incubating dependencies. I say such
click through is not and should not be needed.
Could we please keep the discussion on that policy decision (click
through or no click through) instead of wondering when and how Maven
will support that out of the box.
BR,
Jukka Zitting
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Jason van Zyl <ja...@maven.org>.
On 7-Oct-08, at 12:02 AM, Niclas Hedhman wrote:
> On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl <ja...@maven.org>
> wrote:
>> The central repository is the Maven PMC's business. What results
>> will be
>> public policy but we'd like to avoid the banter of the misinformed
>> so we can
>> arrive at a decision quickly.
>
> Yes, although the PMC is expected to do all non-sensitive discussion
> on the public dev@ list. But, so far I think the central repo has
> served the Java communities (not only Apache) very well. It allows
> sync'ing from other repository hosts, which has made life a lot easier
> for smaller projects.
>
> That said, I think that Maven should move away from a central
> repository, and instead go with distributed ones and possibly harness
> the power of search engines (Yahoo RDF?) to locate stuff everywhere.
This is already possible with Nexus (http://nexus.sonatype.org).
Nexus, or the Nexus CLI tool, produces a Lucene index which Nexus uses
to create a federated searching and retrieval mechanism.
One instance of Nexus can proxy any other Maven repository -- a
repository manager or normal webserver -- and with the presence of the
Nexus index allows federated searching and retrieval of artifacts
through that single instance. Some groups are already starting to
provide Nexus indices:
http://docs.codehaus.org/display/M2ECLIPSE/Nexus+Indexed+Maven+Repositories
This means you as a user can setup Nexus locally, create proxied
repositories and get access to the contents of those repositories. So
if everyone did this we could federate all the repositories around the
world and then central just becomes a switchboard. This would be great
as it would distribute the load around, but I think we still might
want to collect everything in one place for safety.
>
> To be able to do that securely, some clever security mechanisms must
> first be developed, and since that is in line with security-concerned
> people, I think it is a good thing to do so. "How hard can it be?",
> considering the expertise around detailing the requirements almost at
> code level, right ;-) ?
Mercury will support PGP validation, and we are building support for
PGP into Nexus so the indices could be retrieved and validated, and
subsequent retrieval of artifacts could then also be validated. The
technology is pretty much there to do what you're asking for but
producing the indices in all the repositories will take time. But
people are doing because it also provides value in the IDEs.
m2eclipse, Netbeans, and IDEA are already integrating Nexus index
technology to provide full POM auto-completion support, and we also
use the index to find Maven plugins, Maven archetypes, and flag
artifacts as having sources, javadocs, and valid checksums and
signatures. So people will create indices to get the value in IDEs and
as a consequence federating everything is possible.
>
>
>
> Cheers
> Niclas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
We know what we are, but know not what we may be.
-- Shakespeare
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Tue, Oct 7, 2008 at 11:47 AM, Jason van Zyl <ja...@maven.org> wrote:
> The central repository is the Maven PMC's business. What results will be
> public policy but we'd like to avoid the banter of the misinformed so we can
> arrive at a decision quickly.
Yes, although the PMC is expected to do all non-sensitive discussion
on the public dev@ list. But, so far I think the central repo has
served the Java communities (not only Apache) very well. It allows
sync'ing from other repository hosts, which has made life a lot easier
for smaller projects.
That said, I think that Maven should move away from a central
repository, and instead go with distributed ones and possibly harness
the power of search engines (Yahoo RDF?) to locate stuff everywhere.
To be able to do that securely, some clever security mechanisms must
first be developed, and since that is in line with security-concerned
people, I think it is a good thing to do so. "How hard can it be?",
considering the expertise around detailing the requirements almost at
code level, right ;-) ?
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Jason van Zyl <ja...@maven.org>.
The central repository is not an Apache project's resource.
We've always discussed issues of the central repository in private
(except for technical details of syncing other project repositories)
and as far as policy goes it's the Maven PMC that will sets it.
Members can see the list and we're fine with that. We already know
what everyone and their uncle wants and it's unlikely a productive
discussion will ensue. You just have to look here to see that. We're
not wasting our time in endless debate. We'll decide, take feedback,
adjust, and move on. We're actually going to setup a group call to
discuss the issues on the table. So by next week we'll stuff for
people to discuss.
As far as Maven development goes, we work like just like every other
project, the repository is different and affects every project and
organization. What we are deciding is beyond the realm of Apache.
On 7-Oct-08, at 11:23 AM, Doug Cutting wrote:
> Jason van Zyl wrote:
>> The central repository is the Maven PMC's business. What results
>> will be public policy but we'd like to avoid the banter of the
>> misinformed so we can arrive at a decision quickly.
>
> I'd love to avoid the banter of the misinformed too, but that's not
> the way Apache projects are supposed to work, is it? Private lists
> should only be used for things which cannot be discussed in public,
> e.g., personnel issues, security breaches, etc.
>
> Doug
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
A man enjoys his work when he understands the whole and when he
is responsible for the quality of the whole
-- Christopher Alexander, A Pattern Language
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels
like the central Maven repository
Posted by Doug Cutting <cu...@apache.org>.
Jason van Zyl wrote:
> The central repository is the Maven PMC's business. What results will be
> public policy but we'd like to avoid the banter of the misinformed so we
> can arrive at a decision quickly.
I'd love to avoid the banter of the misinformed too, but that's not the
way Apache projects are supposed to work, is it? Private lists should
only be used for things which cannot be discussed in public, e.g.,
personnel issues, security breaches, etc.
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Jason van Zyl <ja...@maven.org>.
The central repository is the Maven PMC's business. What results will
be public policy but we'd like to avoid the banter of the misinformed
so we can arrive at a decision quickly.
On 6-Oct-08, at 10:22 AM, Noel J. Bergman wrote:
> Jason van Zyl wrote:
>
>> The discussions are taking place on the Maven PMC list. If you are a
>> member you can join the list.
>
> Why are those discussions taking place on a private, closed, list
> instead of
> an open one?
>
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
Simplex sigillum veri. (Simplicity is the seal of truth.)
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by "Noel J. Bergman" <no...@devtech.com>.
Jason van Zyl wrote:
> The discussions are taking place on the Maven PMC list. If you are a
> member you can join the list.
Why are those discussions taking place on a private, closed, list instead of
an open one?
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Jason van Zyl <ja...@maven.org>.
The discussions are taking place on the Maven PMC list. If you are a
member you can join the list.
On 4-Oct-08, at 8:31 AM, Gilles Scokart wrote:
> 2008/10/3 Jason van Zyl <ja...@maven.org>:
>>
>> On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
>>
>>> Emmanuel Lecharny wrote:
>>>
>>>> Better a bad decision than no decision, otherwise, soon, nobody
>>>> will
>>>> vote anymore...
>>>
>>> Not really. Consider that there appears to be a clear consensus
>>> that if
>>> Maven were to fix the download situation, requiring that users
>>> approve the
>>> user of Incubator artifacts, rather than transparently use them,
>>> many of
>>> the -1 would be +1.
>>>
>>
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
>>
>> Our opinion is forming in the Maven PMC that we will not enforce
>> third party
>> policy but will adhere to the legal distribution rights set forth
>> by the
>> license. All PMC members who have voiced an opinion thus far have
>> this
>> opinion,
>
> Where does this dicussion took places? Is there a thread we can read?
>
>
>
>
>> but we are scheduling a call for next week and we will have a
>> decision and stated policy shortly. We will keep you posted when we
>> reach a
>> decision.
>>
>>> It appears that the Maven community is finally getting a clue, and
>>> we can
>>> hope for a resolution, perhaps 6 months out or less if they don't
>>> falter.
>>>
>>> --- Noel
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>
>> Thanks,
>>
>> Jason
>>
>> ----------------------------------------------------------
>> Jason van Zyl
>> Founder, Apache Maven
>> jason at sonatype dot com
>> ----------------------------------------------------------
>>
>> A man enjoys his work when he understands the whole and when he
>> is responsible for the quality of the whole
>>
>> -- Christopher Alexander, A Pattern Language
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>>
>
>
>
> --
> Gilles Scokart
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
happiness is like a butterfly: the more you chase it, the more it will
elude you, but if you turn your attention to other things, it will come
and sit softly on your shoulder ...
-- Thoreau
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Gilles Scokart <gs...@gmail.com>.
2008/10/3 Jason van Zyl <ja...@maven.org>:
>
> On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
>
>> Emmanuel Lecharny wrote:
>>
>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>> vote anymore...
>>
>> Not really. Consider that there appears to be a clear consensus that if
>> Maven were to fix the download situation, requiring that users approve the
>> user of Incubator artifacts, rather than transparently use them, many of
>> the -1 would be +1.
>>
>
> That's unlikely to happen. We're not going to be implementing policy
> enforcement for you.
>
> Our opinion is forming in the Maven PMC that we will not enforce third party
> policy but will adhere to the legal distribution rights set forth by the
> license. All PMC members who have voiced an opinion thus far have this
> opinion,
Where does this dicussion took places? Is there a thread we can read?
> but we are scheduling a call for next week and we will have a
> decision and stated policy shortly. We will keep you posted when we reach a
> decision.
>
>> It appears that the Maven community is finally getting a clue, and we can
>> hope for a resolution, perhaps 6 months out or less if they don't falter.
>>
>> --- Noel
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder, Apache Maven
> jason at sonatype dot com
> ----------------------------------------------------------
>
> A man enjoys his work when he understands the whole and when he
> is responsible for the quality of the whole
>
> -- Christopher Alexander, A Pattern Language
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
--
Gilles Scokart
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by sebb <se...@gmail.com>.
On 03/10/2008, Brian E. Fox <br...@reply.infinity.nu> wrote:
>
> >We don't have to. We can simply mandate that every ASF project sign
> their
> >artifacts and charge the Maven PMC with enforcing it.
>
>
> And are you going to lobby FireFox and Microsoft to enforce in their
> browsers?
Microsoft already *does* check signatures for ActiveX addons.
> Seriously why is this Maven's problem simply because it
> downloads it when you can't enforce this in any other method that people
> download it?
>
There is a big difference between using a browser to download a
specific file chosen by the user and Maven downloading some file
automatically.
>
> >On the other hand, imagine the fun when
> >someone puts a nice bit of malware into the security-free zone known as
> the
> >Maven repository.
>
>
> Security Free?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: status of PGP support in Maven
Posted by "Brian E. Fox" <br...@reply.infinity.nu>.
>We don't have to. We can simply mandate that every ASF project sign
their
>artifacts and charge the Maven PMC with enforcing it.
And are you going to lobby FireFox and Microsoft to enforce in their
browsers? Seriously why is this Maven's problem simply because it
downloads it when you can't enforce this in any other method that people
download it?
>On the other hand, imagine the fun when
>someone puts a nice bit of malware into the security-free zone known as
the
>Maven repository.
Security Free?
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Fri, Oct 3, 2008 at 5:31 PM, Noel J. Bergman <no...@devtech.com> wrote:
> Jason van Zyl wrote:
>
>> Noel J. Bergman wrote:
<snip>
>> > Did you not see what just happened to Redhat with respect to
>> > Fedora? They take artifact security seriously. For a long time,
>> > it has appeared that Maven does not, but I am hopeful now that
>> > mandatory authorization will appear, so that I and others will not
>> > have to increase lobbying efforts to have the Maven repository
>> > closed, at least with respect to ASF projects.
>
>> How are you going to stop people from [creating their own artifacts and
> repositories] Noel when its their right?
>
> We don't have to. We can simply mandate that every ASF project sign their
> artifacts and charge the Maven PMC with enforcing it.
sounds very reasonsable
> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years.
that's probably a little strong
many distros have only really addressed this in the last year or so,
and even then their solutions are far from perfect
IMO a combination of approaches is require to deliver good defense in
depth combining auditing, automatic signing, publication and wide
dissemination of results together with signatures by release managers.
this is also something that may well be best solved in a common forum.
it would be very useful to reach out to other organisations such as
fedora, debian, eclipse, java.net etc which have similiar problems.
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: status of PGP support in Maven
Posted by "Noel J. Bergman" <no...@devtech.com>.
Jason van Zyl wrote:
> Noel, your comments are completely out of whack with reality. You are
> asking Maven to enforce something that no one does. Pretty much
> almost no one.
> Checking PGP signatures is obviously not something the vast majority of
people do.
Really? Try following the instructions at http://www.medibuntu.org/ for
adding the repository without adding the PGP key, and see how well it works.
Not that I am suggesting a single, centralized, master key for the entire
repository. And, again, RedHat takes it so seriously that they shutdown
their distribution network when they had even the slightest concern that the
signing keys were compromised.
If you are saying that we don't have signed packages, I agree with you that
more projects should be signing. I have signed JAMES releases for years.
But the problem is much worse when using Maven, since users haven't a clue
as to the provanance of the artifacts they don't even realize that they are
loading onto their systems.
In any event, this discussion should be moved to eithe repository@ or
infra-dev@.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Jason van Zyl <ja...@maven.org>.
On 6-Oct-08, at 10:21 AM, Noel J. Bergman wrote:
> Niclas Hedhman wrote:
>
>> Being in the camp "I hate Maven too"
>
> I hate Maven's lack of authentication, the potential for widespread
> damage,
> and am immensely frustrated by their *years* of willfully negligent
> handling
> thereof.
>
>> I would like to swap Noel's statement around and ask; Why doesn't
>> security concerned individuals participate in the Maven effort?
>> Lead by example and not by bashing...
>
> They have received constructive input for years. They continue to
> do so.
> Jason's comments appear to echo the old-school negligence that I'd
> hoped the
> Maven PMC was at long last starting to be cured of.
>
Noel, your comments are completely out of whack with reality. You are
asking Maven to enforce something that no one does. Pretty much almost
no one.
Downloads from our own servers:
57.47% archive.apache.org
40.72% www.apache.org
... almost all are zip's and [.tar].gz's (see extensions report)
92.72% .zip [Zip archives]
2.10% .gz [Gzip compressed files]
2.05% .tar.gz [Compressed archives]
< 0.1% .asc (not even listed)
Almost no one is validating PGP signatures. It's not that we couldn't
in the past, we just had to choose to implement features that
delivered what our users wanted. Checking PGP signatures is obviously
not something the vast majority of people do. So pointing your finger
at us and calling it negligence is not even remotely correct. The same
goes the checksums which people also don't check but Maven does this
automatically so we are, in fact, providing a greater degree of
security to the average user. By default as a big warning message
appears and you can optionally fail builds if the checksum fails.
After having a discussion with Henk about the nature of PGP usage and
checksums I share his sentiments which he has allowed me to quote:
-- In the past I have maintained that the most important reason to
sign stuff is to protect the /ASF/ (as opposed to downloaders).
People trust the ASF to detect malware (trojans etc) and react
upon detection. For downloaders, a simple md5 check should be
sufficient. The ASF should be as cautious/suspicious as the
most cautious/suspicious downloader imaginable. Are we ?
-- Another reason: one day some computer science class is going
to compare various open-software centers (like the ASF) on
how well such centers protect themselves against malware.
The ASF should be examplary. Are we ?
When Mercury is integrated into Maven and people can optionally fail
builds on failed PGP sig validation Maven will again provide a greater
degree of security given that the practice of validating sigs is
pretty much non-existent.
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
Our achievements speak for themselves. What we have to keep track
of are our failures, discouragements and doubts. We tend to forget
the past difficulties, the many false starts, and the painful
groping. We see our past achievements as the end result of a
clean forward thrust, and our present difficulties as
signs of decline and decay.
-- Eric Hoffer, Reflections on the Human Condition
RE: status of PGP support in Maven
Posted by "Noel J. Bergman" <no...@devtech.com>.
Niclas Hedhman wrote:
> Being in the camp "I hate Maven too"
I hate Maven's lack of authentication, the potential for widespread damage,
and am immensely frustrated by their *years* of willfully negligent handling
thereof.
> I would like to swap Noel's statement around and ask; Why doesn't
> security concerned individuals participate in the Maven effort?
> Lead by example and not by bashing...
They have received constructive input for years. They continue to do so.
Jason's comments appear to echo the old-school negligence that I'd hoped the
Maven PMC was at long last starting to be cured of.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Mon, Oct 6, 2008 at 10:45 AM, Henning Schmiedehausen
<he...@schmiedehausen.org> wrote:
> On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote:
>>
>> We don't have to. We can simply mandate that every ASF project sign their
>> artifacts and charge the Maven PMC with enforcing it.
>
> No. The Maven PMC is charged with developing software for the Apache
> Maven project. If we really want to put a distribution policy in place
> and enforce it, I can see us creating a repository PMC which does this
> (and talk to Maven about the features that they would like to see or
> (gasp!) implement them and contribute them back to Maven. I would see
> such a PMC as part of or collaborating with Infrastructure.
I thought this effort was started years and years ago...
> Maven is a piece of software, not a distribution mechanism. They just
> happen to build it because no one else did.
>
>> And perhaps now you start to gain a glimer of the depth of the problem
>> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
>> towards security, despite other repository exemplars (e.g., linux
>> distributions), having had security in place for years. Yes, it may be a
>
> Please stop it, Noel. This is not constructive.
Being in the camp "I hate Maven too", I must say I agree with Henning
that the language used was inappropriate.
I would like to swap Noel's statement around and ask; Why doesn't
security concerned individuals participate in the Maven effort? Lead
by example and not by bashing...
Cheers
Niclas
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: status of PGP support in Maven
Posted by Henning Schmiedehausen <he...@schmiedehausen.org>.
On Mon, 2008-10-06 at 10:21 -0400, Noel J. Bergman wrote:
> Henning Schmiedehausen wrote:
>
> > Noel J. Bergman wrote:
> > > We don't have to. We can simply mandate that every ASF project sign
> their
> > > artifacts and charge the Maven PMC with enforcing it.
>
> > No. The Maven PMC is charged with developing software for the Apache
> > Maven project.
>
> You misunderstand. I mean that the Maven code should enforce
> authentication, not that the Maven PMC must police the repository.
Maven is a modular framework. If you want to enforce such policy, it
should be possible to write plugins to do so. All that is needed is
someone to write them or fund writing. The current Maven group seems to
feel that they don't need them or they are not high on the prio list. So
someone else must do it. This is a do-ocracy. :-)
>
> > If we really want to put a distribution policy in place
> > and enforce it, I can see us creating a repository PMC which does this
>
> We already have that as a subgroup of Infrastructure. The
> repository@apache.org list has existed for *years*.
I know. So why are you bashing the Maven PMC when you mean the
"repository management group"?
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: status of PGP support in Maven
Posted by "Noel J. Bergman" <no...@devtech.com>.
Henning Schmiedehausen wrote:
> Noel J. Bergman wrote:
> > We don't have to. We can simply mandate that every ASF project sign
their
> > artifacts and charge the Maven PMC with enforcing it.
> No. The Maven PMC is charged with developing software for the Apache
> Maven project.
You misunderstand. I mean that the Maven code should enforce
authentication, not that the Maven PMC must police the repository.
> If we really want to put a distribution policy in place
> and enforce it, I can see us creating a repository PMC which does this
We already have that as a subgroup of Infrastructure. The
repository@apache.org list has existed for *years*.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: status of PGP support in Maven
Posted by Henning Schmiedehausen <he...@schmiedehausen.org>.
On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote:
>
> We don't have to. We can simply mandate that every ASF project sign their
> artifacts and charge the Maven PMC with enforcing it.
No. The Maven PMC is charged with developing software for the Apache
Maven project. If we really want to put a distribution policy in place
and enforce it, I can see us creating a repository PMC which does this
(and talk to Maven about the features that they would like to see or
(gasp!) implement them and contribute them back to Maven. I would see
such a PMC as part of or collaborating with Infrastructure.
Maven is a piece of software, not a distribution mechanism. They just
happen to build it because no one else did.
> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years. Yes, it may be a
Please stop it, Noel. This is not constructive.
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Jason van Zyl <ja...@maven.org>.
On 3-Oct-08, at 12:31 PM, Noel J. Bergman wrote:
> Jason van Zyl wrote:
>
>> Noel J. Bergman wrote:
>>> We don't need for you to implement any "policy" other than the
>>> requirement for users to approve authorized signing keys. You
>>> simply need to implement artifact signing and mandatory
>>> authorization, which is why I've moved this to the thread Brett
>>> started for purposes of discussing signing.
>
>> You are not the Incubator PMC
>
> And where did I imply otherwise??
>
>> and what the Incubator says they require is far from clear.
>> Disclaimers,
>> notices, PGP keys. No one knows what anyone wants here. No one
>> can follow these discussions.
>
> That's rather over the top.
We're talking years here Noel. Point at anything that succinctly
states the policy. Doesn't exist. I think if you asked anyone right
now they would have no idea what the result is. We had a majority
vote, someone on the board said that's the way we should go, some
agree, some don't, then you step in and say that's not the way it is
because Greg said that's the way it is. It's not meant to be over the
top, just a statement of fact.
> The disclaimer and notice requirements are well
> documented and have been for a long time. The PGP key situation is
> under
> discussion, likely to be resolved by the Infrastructure Team, and
> will be an
> ASF-wide issue. The Incubator relationship is that the same mandatory
> requirement for security that needs to be imposed on Maven can also
> address
> the long-standing requirement that users be aware of and accepting
> that they
> are using Incubator artifacts.
You won't be imposing anything on Maven and what we do with central or
what security measures we do, or do not implement. Policy here is, of
course, of the IPMC. Turn on/off repositories as you see fit. It's got
nothing to do with the way Maven users access the central repository.
If you don't want to participate directly making artifacts available
then don't.
We're not fighting you, and technically we've made it easier for folks
to check if there are signatures but lots of projects don't and that's
not Maven's problem, it's not Ivy's problem, it's not BuildR's problem.
>
>
>> Oleg, who is responsible for implementing Mercury which has
>> full PGP support, has this functionality working on all branches of
>> Maven but the option to use it will be in the hands of the user. As
>> the quality and tools for supporting PGP get better, and more people
>> use them we will again take a look at the default behavior.
>
>>> Did you not see what just happened to Redhat with respect to
>>> Fedora? They take artifact security seriously. For a long time,
>>> it has appeared that Maven does not, but I am hopeful now that
>>> mandatory authorization will appear, so that I and others will not
>>> have to increase lobbying efforts to have the Maven repository
>>> closed, at least with respect to ASF projects.
>
>> How are you going to stop people from [creating their own artifacts
>> and
> repositories] Noel when its their right?
>
> We don't have to. We can simply mandate that every ASF project sign
> their
> artifacts and charge the Maven PMC with enforcing it.
The first part is already mandated, or I certainly thought it was. The
second part of that is not going to happen.
>
>
> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical,
> attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years. Yes, it may
> be a
> bit painful to make the change. On the other hand, imagine the fun
> when
> someone puts a nice bit of malware into the security-free zone known
> as the
> Maven repository. Not only do I agree with Henning's assessment, I
> think
> that network administrators should block the Maven repository at their
> firewalls.
Tell them that. See what they do.
>
>
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
We all have problems. How we deal with them is a measure of our worth.
-- Unknown
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: status of PGP support in Maven
Posted by "Noel J. Bergman" <no...@devtech.com>.
Jason van Zyl wrote:
> Noel J. Bergman wrote:
> > We don't need for you to implement any "policy" other than the
> > requirement for users to approve authorized signing keys. You
> > simply need to implement artifact signing and mandatory
> > authorization, which is why I've moved this to the thread Brett
> > started for purposes of discussing signing.
> You are not the Incubator PMC
And where did I imply otherwise??
> and what the Incubator says they require is far from clear. Disclaimers,
> notices, PGP keys. No one knows what anyone wants here. No one
> can follow these discussions.
That's rather over the top. The disclaimer and notice requirements are well
documented and have been for a long time. The PGP key situation is under
discussion, likely to be resolved by the Infrastructure Team, and will be an
ASF-wide issue. The Incubator relationship is that the same mandatory
requirement for security that needs to be imposed on Maven can also address
the long-standing requirement that users be aware of and accepting that they
are using Incubator artifacts.
> Oleg, who is responsible for implementing Mercury which has
> full PGP support, has this functionality working on all branches of
> Maven but the option to use it will be in the hands of the user. As
> the quality and tools for supporting PGP get better, and more people
> use them we will again take a look at the default behavior.
> > Did you not see what just happened to Redhat with respect to
> > Fedora? They take artifact security seriously. For a long time,
> > it has appeared that Maven does not, but I am hopeful now that
> > mandatory authorization will appear, so that I and others will not
> > have to increase lobbying efforts to have the Maven repository
> > closed, at least with respect to ASF projects.
> How are you going to stop people from [creating their own artifacts and
repositories] Noel when its their right?
We don't have to. We can simply mandate that every ASF project sign their
artifacts and charge the Maven PMC with enforcing it.
And perhaps now you start to gain a glimer of the depth of the problem
created by Maven's irresponsible, unconscionable, lackadaisical, attitude
towards security, despite other repository exemplars (e.g., linux
distributions), having had security in place for years. Yes, it may be a
bit painful to make the change. On the other hand, imagine the fun when
someone puts a nice bit of malware into the security-free zone known as the
Maven repository. Not only do I agree with Henning's assessment, I think
that network administrators should block the Maven repository at their
firewalls.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: status of PGP support in Maven
Posted by Jason van Zyl <ja...@maven.org>.
On 3-Oct-08, at 10:50 AM, Noel J. Bergman wrote:
> Moved to the thread it belongs in ...
>
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>>> Emmanuel Lecharny wrote:
>>>> Better a bad decision than no decision, otherwise, soon, nobody
>>>> will
>>>> vote anymore...
>>> Not really. Consider that there appears to be a clear consensus
>>> that if Maven were to fix the download situation, requiring that
>>> users
>>> approve the user of Incubator artifacts, rather than transparently
>>> use
>>> them, many of the -1 would be +1.
>
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
>
> We don't need for you to implement any "policy" other than the
> requirement
> for users to approve authorized signing keys. You simply need to
> implement
> artifact signing and mandatory authorization, which is why I've
> moved this
> to the thread Brett started for purposes of discussing signing.
You are not the Incubator PMC, and what the Incubator says they
require is far from clear. Disclaimers, notices, PGP keys. No one
knows what anyone wants here. No one can follow these discussions.
There will be no mandatory authorization. That will not be turned on
by default in the foreseeable future. The tools will exist for people
to use as they see fit. It is more likely that people using repository
managers will enable this, but it won't be turned on in the Maven
client. Oleg, who is responsible for implementing Mercury which has
full PGP support, has this functionality working on all branches of
Maven but the option to use it will be in the hands of the user. As
the quality and tools for supporting PGP get better, and more people
use them we will again take a look at the default behavior
>
>
> Did you not see what just happened to Redhat with respect to
> Fedora? They
> take artifact security seriously. For a long time, it has appeared
> that
> Maven does not, but I am hopeful now that mandatory authorization will
> appear, so that I and others will not have to increase lobbying
> efforts to
> have the Maven repository closed, at least with respect to ASF
> projects.
Lobby away. Close the repository, then what's going to happen? Someone
checks out all the sources with a CI system, builds everything and
publishes them, then what are you going to do? Shut down anonymous SVN
access because people are doing what they can by rights of the
license? Track them down and tell them not to do it? Tell the Maven
PMC to intervene to stop people from making submissions via JIRA. Stop
the repositories that are already syncing Apache artifacts to central
or hosting their own repositories? How are you going to stop people
from doing this Noel when its their right? You going to lock down
everything to the point where no one wants to get involved?
>
>
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
We know what we are, but know not what we may be.
-- Shakespeare
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
re: status of PGP support in Maven
Posted by "Noel J. Bergman" <no...@devtech.com>.
Moved to the thread it belongs in ...
Jason van Zyl wrote:
> Noel J. Bergman wrote:
> > Emmanuel Lecharny wrote:
>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>> vote anymore...
>> Not really. Consider that there appears to be a clear consensus
>> that if Maven were to fix the download situation, requiring that users
>> approve the user of Incubator artifacts, rather than transparently use
>> them, many of the -1 would be +1.
> That's unlikely to happen. We're not going to be implementing policy
> enforcement for you.
We don't need for you to implement any "policy" other than the requirement
for users to approve authorized signing keys. You simply need to implement
artifact signing and mandatory authorization, which is why I've moved this
to the thread Brett started for purposes of discussing signing.
Did you not see what just happened to Redhat with respect to Fedora? They
take artifact security seriously. For a long time, it has appeared that
Maven does not, but I am hopeful now that mandatory authorization will
appear, so that I and others will not have to increase lobbying efforts to
have the Maven repository closed, at least with respect to ASF projects.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: [RESULT] [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository
Posted by Jason van Zyl <ja...@maven.org>.
On 2-Oct-08, at 9:19 PM, Noel J. Bergman wrote:
> Emmanuel Lecharny wrote:
>
>> Better a bad decision than no decision, otherwise, soon, nobody will
>> vote anymore...
>
> Not really. Consider that there appears to be a clear consensus
> that if
> Maven were to fix the download situation, requiring that users
> approve the
> user of Incubator artifacts, rather than transparently use them,
> many of
> the -1 would be +1.
>
That's unlikely to happen. We're not going to be implementing policy
enforcement for you.
Our opinion is forming in the Maven PMC that we will not enforce third
party policy but will adhere to the legal distribution rights set
forth by the license. All PMC members who have voiced an opinion thus
far have this opinion, but we are scheduling a call for next week and
we will have a decision and stated policy shortly. We will keep you
posted when we reach a decision.
> It appears that the Maven community is finally getting a clue, and
> we can
> hope for a resolution, perhaps 6 months out or less if they don't
> falter.
>
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
A man enjoys his work when he understands the whole and when he
is responsible for the quality of the whole
-- Christopher Alexander, A Pattern Language
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org