You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Greg Trasuk <tr...@stratuscom.com> on 2016/05/18 17:58:15 UTC
Re: SHA512 by default for GPG sigs
Hi Christopher:
Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to dev@maven.apache.org, which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
Thanks again,
Greg Trasuk
> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
>
> Hi all,
>
> I'm not sure a better list to get feedback on, but I wanted to bring
> attention to the proposal here:
> https://issues.apache.org/jira/browse/MPOM-118
>
> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
> Maven/Java-based projects within ASF. This configuration takes affect
> during software releases when this plugin is activated (typically prior to
> a release candidate vote, and staging a release in Nexus for distribution
> to Maven Central).
>
> This would only affect the hash algorithm used to generate GPG signatures
> for releases, and not any separate SHA/MD hashes published separately by
> any project, which can be weaker (SHA1, MD5) for convenience, and don't
> convey the strong authenticity statement that digital signatures provide.
>
> For background, gpg uses SHA1 by default, unless the signing key or gpg
> configuration has a preference to use another algorithm (as described on
> https://www.apache.org/dev/openpgp).
>
> This proposed configuration change wouldn't force the use of SHA512 (it
> could still be overridden by a project), but it would make it the default,
> which helps improve the security of releases in the case where release
> managers have failed to keep their configuration up-to-date with the best
> recommendations for using gpg.
>
> Thoughts? +1s? Discuss here or on the JIRA please.
>
> Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: SHA512 by default for GPG sigs
Posted by Andy Seaborne <an...@apache.org>.
On 18/05/16 18:58, Greg Trasuk wrote:
>
> Hi Christopher:
>
> Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to dev@maven.apache.org, which I\u2019ve cc\u2019d on this response. If you\u2019re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
>
> Thanks again,
>
> Greg Trasuk
I think Christopher is talking about the Apache POM and effect on ASF
releases for java-related projects that use org.apache:apache, rather
than maven development.
Andy
>
>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
>>
>> Hi all,
>>
>> I'm not sure a better list to get feedback on, but I wanted to bring
>> attention to the proposal here:
>> https://issues.apache.org/jira/browse/MPOM-118
>>
>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
>> Maven/Java-based projects within ASF. This configuration takes affect
>> during software releases when this plugin is activated (typically prior to
>> a release candidate vote, and staging a release in Nexus for distribution
>> to Maven Central).
>>
>> This would only affect the hash algorithm used to generate GPG signatures
>> for releases, and not any separate SHA/MD hashes published separately by
>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
>> convey the strong authenticity statement that digital signatures provide.
>>
>> For background, gpg uses SHA1 by default, unless the signing key or gpg
>> configuration has a preference to use another algorithm (as described on
>> https://www.apache.org/dev/openpgp).
>>
>> This proposed configuration change wouldn't force the use of SHA512 (it
>> could still be overridden by a project), but it would make it the default,
>> which helps improve the security of releases in the case where release
>> managers have failed to keep their configuration up-to-date with the best
>> recommendations for using gpg.
>>
>> Thoughts? +1s? Discuss here or on the JIRA please.
>>
>> Thank you.
>
Re: SHA512 by default for GPG sigs
Posted by Christopher <ct...@apache.org>.
Yes, that is correct. I'm referring to the ASF-wide parent pom.
If I understand the situation correctly, releases of that POM are managed
by the Maven PMC, but because of it's utility throughout the ASF, Hervé
Boutemy had commented on MPOM-118 that it should be brought to the
attention of a larger audience. This thread is the result of his
observation. :)
But there is no harm done. Thanks for providing an opportunity to clarify.
On Wed, May 18, 2016 at 3:26 PM Greg Trasuk <tr...@stratuscom.com> wrote:
> Whoops. Sorry about that.
>
> Greg
>
> > On May 18, 2016, at 2:50 PM, Benson Margulies <bi...@gmail.com>
> wrote:
> >
> > Greg, the proposal is for the _Default ASF POM_ to be set up so that
> > _all_ projects would use SHA-512. This is not a question for the Maven
> > PMC.
> >
> > On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tr...@stratuscom.com>
> wrote:
> >>
> >> Hi Christopher:
> >>
> >> Thanks for your involvement. Apache Maven is one of many projects at
> the Apache Software Foundation. Each project has its own mailing lists.
> So your discussion should probably go to dev@maven.apache.org, which I’ve
> cc’d on this response. If you’re not subscribed to that list, you probably
> should do that as well - check the Apache Maven web site (
> http://maven.apache.org) for more info.
> >>
> >> Thanks again,
> >>
> >> Greg Trasuk
> >>
> >>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I'm not sure a better list to get feedback on, but I wanted to bring
> >>> attention to the proposal here:
> >>> https://issues.apache.org/jira/browse/MPOM-118
> >>>
> >>> Essentially this is a suggestion to configure the maven-gpg-plugin to
> sign
> >>> using SHA512 as its digest algorithm in the ASF Parent POM, used by
> many
> >>> Maven/Java-based projects within ASF. This configuration takes affect
> >>> during software releases when this plugin is activated (typically
> prior to
> >>> a release candidate vote, and staging a release in Nexus for
> distribution
> >>> to Maven Central).
> >>>
> >>> This would only affect the hash algorithm used to generate GPG
> signatures
> >>> for releases, and not any separate SHA/MD hashes published separately
> by
> >>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
> >>> convey the strong authenticity statement that digital signatures
> provide.
> >>>
> >>> For background, gpg uses SHA1 by default, unless the signing key or gpg
> >>> configuration has a preference to use another algorithm (as described
> on
> >>> https://www.apache.org/dev/openpgp).
> >>>
> >>> This proposed configuration change wouldn't force the use of SHA512 (it
> >>> could still be overridden by a project), but it would make it the
> default,
> >>> which helps improve the security of releases in the case where release
> >>> managers have failed to keep their configuration up-to-date with the
> best
> >>> recommendations for using gpg.
> >>>
> >>> Thoughts? +1s? Discuss here or on the JIRA please.
> >>>
> >>> Thank you.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: dev-help@maven.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: SHA512 by default for GPG sigs
Posted by Christopher <ct...@apache.org>.
Yes, that is correct. I'm referring to the ASF-wide parent pom.
If I understand the situation correctly, releases of that POM are managed
by the Maven PMC, but because of it's utility throughout the ASF, Hervé
Boutemy had commented on MPOM-118 that it should be brought to the
attention of a larger audience. This thread is the result of his
observation. :)
But there is no harm done. Thanks for providing an opportunity to clarify.
On Wed, May 18, 2016 at 3:26 PM Greg Trasuk <tr...@stratuscom.com> wrote:
> Whoops. Sorry about that.
>
> Greg
>
> > On May 18, 2016, at 2:50 PM, Benson Margulies <bi...@gmail.com>
> wrote:
> >
> > Greg, the proposal is for the _Default ASF POM_ to be set up so that
> > _all_ projects would use SHA-512. This is not a question for the Maven
> > PMC.
> >
> > On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tr...@stratuscom.com>
> wrote:
> >>
> >> Hi Christopher:
> >>
> >> Thanks for your involvement. Apache Maven is one of many projects at
> the Apache Software Foundation. Each project has its own mailing lists.
> So your discussion should probably go to dev@maven.apache.org, which I’ve
> cc’d on this response. If you’re not subscribed to that list, you probably
> should do that as well - check the Apache Maven web site (
> http://maven.apache.org) for more info.
> >>
> >> Thanks again,
> >>
> >> Greg Trasuk
> >>
> >>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I'm not sure a better list to get feedback on, but I wanted to bring
> >>> attention to the proposal here:
> >>> https://issues.apache.org/jira/browse/MPOM-118
> >>>
> >>> Essentially this is a suggestion to configure the maven-gpg-plugin to
> sign
> >>> using SHA512 as its digest algorithm in the ASF Parent POM, used by
> many
> >>> Maven/Java-based projects within ASF. This configuration takes affect
> >>> during software releases when this plugin is activated (typically
> prior to
> >>> a release candidate vote, and staging a release in Nexus for
> distribution
> >>> to Maven Central).
> >>>
> >>> This would only affect the hash algorithm used to generate GPG
> signatures
> >>> for releases, and not any separate SHA/MD hashes published separately
> by
> >>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
> >>> convey the strong authenticity statement that digital signatures
> provide.
> >>>
> >>> For background, gpg uses SHA1 by default, unless the signing key or gpg
> >>> configuration has a preference to use another algorithm (as described
> on
> >>> https://www.apache.org/dev/openpgp).
> >>>
> >>> This proposed configuration change wouldn't force the use of SHA512 (it
> >>> could still be overridden by a project), but it would make it the
> default,
> >>> which helps improve the security of releases in the case where release
> >>> managers have failed to keep their configuration up-to-date with the
> best
> >>> recommendations for using gpg.
> >>>
> >>> Thoughts? +1s? Discuss here or on the JIRA please.
> >>>
> >>> Thank you.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: dev-help@maven.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: SHA512 by default for GPG sigs
Posted by Greg Trasuk <tr...@stratuscom.com>.
Whoops. Sorry about that.
Greg
> On May 18, 2016, at 2:50 PM, Benson Margulies <bi...@gmail.com> wrote:
>
> Greg, the proposal is for the _Default ASF POM_ to be set up so that
> _all_ projects would use SHA-512. This is not a question for the Maven
> PMC.
>
> On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tr...@stratuscom.com> wrote:
>>
>> Hi Christopher:
>>
>> Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to dev@maven.apache.org, which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
>>
>> Thanks again,
>>
>> Greg Trasuk
>>
>>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
>>>
>>> Hi all,
>>>
>>> I'm not sure a better list to get feedback on, but I wanted to bring
>>> attention to the proposal here:
>>> https://issues.apache.org/jira/browse/MPOM-118
>>>
>>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
>>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
>>> Maven/Java-based projects within ASF. This configuration takes affect
>>> during software releases when this plugin is activated (typically prior to
>>> a release candidate vote, and staging a release in Nexus for distribution
>>> to Maven Central).
>>>
>>> This would only affect the hash algorithm used to generate GPG signatures
>>> for releases, and not any separate SHA/MD hashes published separately by
>>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
>>> convey the strong authenticity statement that digital signatures provide.
>>>
>>> For background, gpg uses SHA1 by default, unless the signing key or gpg
>>> configuration has a preference to use another algorithm (as described on
>>> https://www.apache.org/dev/openpgp).
>>>
>>> This proposed configuration change wouldn't force the use of SHA512 (it
>>> could still be overridden by a project), but it would make it the default,
>>> which helps improve the security of releases in the case where release
>>> managers have failed to keep their configuration up-to-date with the best
>>> recommendations for using gpg.
>>>
>>> Thoughts? +1s? Discuss here or on the JIRA please.
>>>
>>> Thank you.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
Re: SHA512 by default for GPG sigs
Posted by Greg Trasuk <tr...@stratuscom.com>.
Whoops. Sorry about that.
Greg
> On May 18, 2016, at 2:50 PM, Benson Margulies <bi...@gmail.com> wrote:
>
> Greg, the proposal is for the _Default ASF POM_ to be set up so that
> _all_ projects would use SHA-512. This is not a question for the Maven
> PMC.
>
> On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tr...@stratuscom.com> wrote:
>>
>> Hi Christopher:
>>
>> Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to dev@maven.apache.org, which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
>>
>> Thanks again,
>>
>> Greg Trasuk
>>
>>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
>>>
>>> Hi all,
>>>
>>> I'm not sure a better list to get feedback on, but I wanted to bring
>>> attention to the proposal here:
>>> https://issues.apache.org/jira/browse/MPOM-118
>>>
>>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
>>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
>>> Maven/Java-based projects within ASF. This configuration takes affect
>>> during software releases when this plugin is activated (typically prior to
>>> a release candidate vote, and staging a release in Nexus for distribution
>>> to Maven Central).
>>>
>>> This would only affect the hash algorithm used to generate GPG signatures
>>> for releases, and not any separate SHA/MD hashes published separately by
>>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
>>> convey the strong authenticity statement that digital signatures provide.
>>>
>>> For background, gpg uses SHA1 by default, unless the signing key or gpg
>>> configuration has a preference to use another algorithm (as described on
>>> https://www.apache.org/dev/openpgp).
>>>
>>> This proposed configuration change wouldn't force the use of SHA512 (it
>>> could still be overridden by a project), but it would make it the default,
>>> which helps improve the security of releases in the case where release
>>> managers have failed to keep their configuration up-to-date with the best
>>> recommendations for using gpg.
>>>
>>> Thoughts? +1s? Discuss here or on the JIRA please.
>>>
>>> Thank you.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: SHA512 by default for GPG sigs
Posted by Benson Margulies <bi...@gmail.com>.
Greg, the proposal is for the _Default ASF POM_ to be set up so that
_all_ projects would use SHA-512. This is not a question for the Maven
PMC.
On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tr...@stratuscom.com> wrote:
>
> Hi Christopher:
>
> Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to dev@maven.apache.org, which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
>
> Thanks again,
>
> Greg Trasuk
>
>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
>>
>> Hi all,
>>
>> I'm not sure a better list to get feedback on, but I wanted to bring
>> attention to the proposal here:
>> https://issues.apache.org/jira/browse/MPOM-118
>>
>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
>> Maven/Java-based projects within ASF. This configuration takes affect
>> during software releases when this plugin is activated (typically prior to
>> a release candidate vote, and staging a release in Nexus for distribution
>> to Maven Central).
>>
>> This would only affect the hash algorithm used to generate GPG signatures
>> for releases, and not any separate SHA/MD hashes published separately by
>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
>> convey the strong authenticity statement that digital signatures provide.
>>
>> For background, gpg uses SHA1 by default, unless the signing key or gpg
>> configuration has a preference to use another algorithm (as described on
>> https://www.apache.org/dev/openpgp).
>>
>> This proposed configuration change wouldn't force the use of SHA512 (it
>> could still be overridden by a project), but it would make it the default,
>> which helps improve the security of releases in the case where release
>> managers have failed to keep their configuration up-to-date with the best
>> recommendations for using gpg.
>>
>> Thoughts? +1s? Discuss here or on the JIRA please.
>>
>> Thank you.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
Re: SHA512 by default for GPG sigs
Posted by Benson Margulies <bi...@gmail.com>.
Greg, the proposal is for the _Default ASF POM_ to be set up so that
_all_ projects would use SHA-512. This is not a question for the Maven
PMC.
On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tr...@stratuscom.com> wrote:
>
> Hi Christopher:
>
> Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to dev@maven.apache.org, which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
>
> Thanks again,
>
> Greg Trasuk
>
>> On May 18, 2016, at 1:45 PM, Christopher <ct...@apache.org> wrote:
>>
>> Hi all,
>>
>> I'm not sure a better list to get feedback on, but I wanted to bring
>> attention to the proposal here:
>> https://issues.apache.org/jira/browse/MPOM-118
>>
>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
>> Maven/Java-based projects within ASF. This configuration takes affect
>> during software releases when this plugin is activated (typically prior to
>> a release candidate vote, and staging a release in Nexus for distribution
>> to Maven Central).
>>
>> This would only affect the hash algorithm used to generate GPG signatures
>> for releases, and not any separate SHA/MD hashes published separately by
>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
>> convey the strong authenticity statement that digital signatures provide.
>>
>> For background, gpg uses SHA1 by default, unless the signing key or gpg
>> configuration has a preference to use another algorithm (as described on
>> https://www.apache.org/dev/openpgp).
>>
>> This proposed configuration change wouldn't force the use of SHA512 (it
>> could still be overridden by a project), but it would make it the default,
>> which helps improve the security of releases in the case where release
>> managers have failed to keep their configuration up-to-date with the best
>> recommendations for using gpg.
>>
>> Thoughts? +1s? Discuss here or on the JIRA please.
>>
>> Thank you.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org