You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Mark Derricutt <ma...@talios.com> on 2014/07/29 04:14:22 UTC
Central and Man-in-the-middle
Hey all,
Just been reading [1] after it was mentioned in both #scala and #clojure
on irc.freenode.org now, is there anything that can be done to alleviate
some of these issues?
oss.sonatype.org now requires everything to be GPG signed before being
uploaded to central, but I'm not sure about any of the other means of
getting artifacts uploaded.
Are there any plugins out there to verify GPG signings of dependencies?
Something to discuss on the dev-hangout maybe?
[1] https://news.ycombinator.com/item?id=8099713
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Central and Man-in-the-middle
Posted by "Brian E. Fox" <br...@infinity.nu>.
http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/
--Brian (mobile)
> On Jul 28, 2014, at 11:06 PM, Brian Fox <br...@infinity.nu> wrote:
>
> We are already in the process of making this open for free to
> everyone. Way back in 2012 the CDN situation was different but we just
> renewed the contract and and ssl is part of it. Once this is setup, we
> should consider changing the superpom to use ssl by default.
>
> Obviously doing something to validate pgp signatures is even better.
>
>> On Mon, Jul 28, 2014 at 10:14 PM, Mark Derricutt <ma...@talios.com> wrote:
>> Hey all,
>>
>> Just been reading [1] after it was mentioned in both #scala and #clojure on
>> irc.freenode.org now, is there anything that can be done to alleviate some
>> of these issues?
>>
>> oss.sonatype.org now requires everything to be GPG signed before being
>> uploaded to central, but I'm not sure about any of the other means of
>> getting artifacts uploaded.
>>
>> Are there any plugins out there to verify GPG signings of dependencies?
>>
>> Something to discuss on the dev-hangout maybe?
>>
>>
>> [1] https://news.ycombinator.com/item?id=8099713
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
Re: Central and Man-in-the-middle
Posted by Brian Fox <br...@infinity.nu>.
We are already in the process of making this open for free to
everyone. Way back in 2012 the CDN situation was different but we just
renewed the contract and and ssl is part of it. Once this is setup, we
should consider changing the superpom to use ssl by default.
Obviously doing something to validate pgp signatures is even better.
On Mon, Jul 28, 2014 at 10:14 PM, Mark Derricutt <ma...@talios.com> wrote:
> Hey all,
>
> Just been reading [1] after it was mentioned in both #scala and #clojure on
> irc.freenode.org now, is there anything that can be done to alleviate some
> of these issues?
>
> oss.sonatype.org now requires everything to be GPG signed before being
> uploaded to central, but I'm not sure about any of the other means of
> getting artifacts uploaded.
>
> Are there any plugins out there to verify GPG signings of dependencies?
>
> Something to discuss on the dev-hangout maybe?
>
>
> [1] https://news.ycombinator.com/item?id=8099713
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Central and Man-in-the-middle
Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.
Hello,
I have started a POC a while back which can "lock" dependencies by a
special checksum file. However it is not really secure as a plugin, as
you cannot avoid other plugins overwrite yourself.
It is not finished, it was an execise in some internal maven apis:
https://github.com/ecki/lockdep-maven-plugin
There is a productive plugin which can generate checksums, but not
check them:
https://github.com/nicoulaj/checksum-maven-plugin
Greetings
Bernd
BTW: Bintray' jcenter mirrors central and other stuff and offers SSL, of
course it adds additional possibilities to inject malicious stuff.
And yes, there are PGP files, but not really a good way to verify
them. I wish ASF infra would publish a md5sum of their maven2
directory.
Am Tue, 29 Jul 2014
22:14:33 +0200 schrieb Hervé BOUTEMY <he...@free.fr>:
> direct control by Maven while downloading dependencies seems ideal,
> but I fear it's hard to have normal users aware of keys and manage it
> while building their artifacts
>
> I imagine something useful would be some report too, to display the
> status of actual dependencies: imagine adding key reference to every
> dependency in dependencies report [1]
>
> Anybody interested in coding such improvement?
> or any other idea?
>
> Definitely, seems the right moment to improve users awareness about
> security: IMHO, people will discover that security isn't automagic
> and will require involvement to decide what to trust and what to not
> trust, and that trust is a personal choice
>
> Regards,
>
> Hervé
>
> [1]
> http://maven.apache.org/plugins/maven-dependency-plugin/dependencies.html
>
> Le mardi 29 juillet 2014 13:31:30 Brett Porter a écrit :
> > On 29 Jul 2014, at 12:14 pm, Mark Derricutt <ma...@talios.com> wrote:
> > > Hey all,
> > >
> > > Just been reading [1] after it was mentioned in both #scala and
> > > #clojure on irc.freenode.org now, is there anything that can be
> > > done to alleviate some of these issues?
> > >
> > > oss.sonatype.org now requires everything to be GPG signed before
> > > being uploaded to central, but I'm not sure about any of the
> > > other means of getting artifacts uploaded.
> > >
> > > Are there any plugins out there to verify GPG signings of
> > > dependencies?
> >
> > If anyone is interested in picking up work on this, I pulled some
> > things together some years ago:
> > http://docs.codehaus.org/display/MAVEN/Repository+Security
> >
> > There was a working prototype against Maven 2, but for various
> > reasons didn't get further than that.
> >
> > - Brett
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Central and Man-in-the-middle
Posted by Hervé BOUTEMY <he...@free.fr>.
direct control by Maven while downloading dependencies seems ideal, but I fear
it's hard to have normal users aware of keys and manage it while building
their artifacts
I imagine something useful would be some report too, to display the status of
actual dependencies: imagine adding key reference to every dependency in
dependencies report [1]
Anybody interested in coding such improvement?
or any other idea?
Definitely, seems the right moment to improve users awareness about security:
IMHO, people will discover that security isn't automagic and will require
involvement to decide what to trust and what to not trust, and that trust is a
personal choice
Regards,
Hervé
[1] http://maven.apache.org/plugins/maven-dependency-plugin/dependencies.html
Le mardi 29 juillet 2014 13:31:30 Brett Porter a écrit :
> On 29 Jul 2014, at 12:14 pm, Mark Derricutt <ma...@talios.com> wrote:
> > Hey all,
> >
> > Just been reading [1] after it was mentioned in both #scala and #clojure
> > on irc.freenode.org now, is there anything that can be done to alleviate
> > some of these issues?
> >
> > oss.sonatype.org now requires everything to be GPG signed before being
> > uploaded to central, but I'm not sure about any of the other means of
> > getting artifacts uploaded.
> >
> > Are there any plugins out there to verify GPG signings of dependencies?
>
> If anyone is interested in picking up work on this, I pulled some things
> together some years ago:
> http://docs.codehaus.org/display/MAVEN/Repository+Security
>
> There was a working prototype against Maven 2, but for various reasons
> didn't get further than that.
>
> - Brett
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Central and Man-in-the-middle
Posted by Brett Porter <br...@apache.org>.
On 29 Jul 2014, at 12:14 pm, Mark Derricutt <ma...@talios.com> wrote:
> Hey all,
>
> Just been reading [1] after it was mentioned in both #scala and #clojure on irc.freenode.org now, is there anything that can be done to alleviate some of these issues?
>
> oss.sonatype.org now requires everything to be GPG signed before being uploaded to central, but I'm not sure about any of the other means of getting artifacts uploaded.
>
> Are there any plugins out there to verify GPG signings of dependencies?
If anyone is interested in picking up work on this, I pulled some things together some years ago: http://docs.codehaus.org/display/MAVEN/Repository+Security
There was a working prototype against Maven 2, but for various reasons didn't get further than that.
- Brett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org