You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ant.apache.org by Stefan Bodewig <bo...@apache.org> on 2005/05/04 16:26:22 UTC
PGP tasks (was Re: proposed build.xml changes to speed up releases=
On Wed, 04 May 2005, Stephane Bailliez <sb...@apache.org> wrote:
> Stefan Bodewig wrote:
>
>>how would you do that? I've been toying with the idea of a pure
>>Java pgp task using bouncycastle's OpenPGP library, but haven't
>>coded anything so far. Has anybody used it so far?
>>
>>
> I'm using it as a component for a PKI (EJBCA) for customers.
Interested in lending a hand if I start to dump code into a sandbox
antlib?
> Works fine but I did not use the pgp part.
I've just downloaded the source package of the openpgp library and
org.bouncycastle.openpgp.examples.DetachedSignatureProcessor has all
the code needed for signing and verifying signatures. Doesn't look
too hard to steal.
All Bouncycastle[1] stuff is MIT licensed, so fully Apache Software
License compatible - and all the crypto stuff would be done by the
library so our tasks wouldn't need to consider silly crypto laws
either.
Stefan
Footnotes:
[1] http://www.bouncycastle.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up releases=
Posted by Stephane Bailliez <sb...@apache.org>.
Stefan Bodewig wrote:
>>Not sure what hand size you will get :)
>>
>>
>
>I'll take any size as long as I can use it to pull you back into ant
>development ;-)
>
>
I'm willing to invest more time into developpement rather than
commercial or management as well.
Since I'm working for an opensource company I'm basically doing no long
term contributions rather than sending patches here and there to fix
problems, I have my head spinning considering the many components I'm
involved with and the big parts I would like to fix simply remain in
stale state because of a low result of function(planning, time,
productivity, focus)....
I was shocked a couple of days, as I managed to find myself debugging
Apache 2.0 and OpenSSL. C code...arrrgh.
I'm doing my best to make things change though and get back to
fundamentals though :)
>looks like a PGP provider abstraction could be useful indeed. License
>is compatible (BSDish) and people may like to have a choice.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks
Posted by Brett Porter <br...@gmail.com>.
On 5/9/05, Stefan Bodewig <bo...@apache.org> wrote:
> Depends on what we intend to do there. commons-pgp or even
> commons-openpgp if we want to stick with PGP might be better (we may
> include support for encryption and decryption as well, that's why I
> don't like "signing").
Commons PGP sounds good, at least for now. Beauty of sandboxes and SVN
is that it can be renamed :)
> Brett, do you want to spread this to the maven dev-list (I'm
Will do.
Cheers,
Brett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks
Posted by Stefan Bodewig <bo...@apache.org>.
On Sat, 7 May 2005, Brett Porter <br...@gmail.com> wrote:
>> Maybe jakarta-commons as some "neutral ground"? The library itself
>> could be useful beyond Ant and Maven.
>
> +1 for jakarta-commons.
>
> commons-signing?
Depends on what we intend to do there. commons-pgp or even
commons-openpgp if we want to stick with PGP might be better (we may
include support for encryption and decryption as well, that's why I
don't like "signing").
> I probably won't have time for much in the next week,
Same here, unfortunately, but I can try to free up some time tomorrow
(daytime my timezone, GMT+2).
> though we probably have to have a bit of discussion about objectives
> and gather together interested people first anyway. We can do that
> on commons-dev, and create the scaffolding in the sandbox.
+1
My Gump chairman role allows me to grant SVN access to the
jakarta-commons sandbox and given it is in SVN, we won't need any Unix
group adjustments.
Who wants to join in? Matt?
Brett, do you want to spread this to the maven dev-list (I'm
subscribed there as well, but may get ignored by more people than you ;-)?
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up releases=
Posted by Brett Porter <br...@gmail.com>.
> No, I think a standalone antlib with <pgp:sign/> is well worth the
> effort.
Agreed.
> Maybe jakarta-commons as some "neutral ground"? The library itself
> could be useful beyond Ant and Maven.
+1 for jakarta-commons.
commons-signing?
I probably won't have time for much in the next week, though we
probably have to have a bit of discussion about objectives and gather
together interested people first anyway. We can do that on
commons-dev, and create the scaffolding in the sandbox.
Cheers,
Brett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up
releases=
Posted by Stefan Bodewig <bo...@apache.org>.
On Fri, 6 May 2005, Brett Porter <br...@gmail.com> wrote:
>> I don't really care where the tasks get created as long as they are
>> under a useful license and all interested people can work on them.
>
> Likewise.
>
> I'd suggest inside Wagon if they were only going to be used via the
> artifact antlib.
No, I think a standalone antlib with <pgp:sign/> is well worth the
effort.
> If it needs to be an independant component only utilising bouncy
> castle/other pgp provider, is it feasible for an antlib to be
> composed of two separate parts: the tasks that depend on Ant and a
> standalone library that the antlib uses which provides the actual
> functionality?
Ansolutely. The standalone library sounds like the best way to go, it
wouldn't need any dependency on Ant or Wagon.
> Once we sort out the best place to work, we can take the discussion
> to that list (or bring other interested people here if this is it).
Maybe jakarta-commons as some "neutral ground"? The library itself
could be useful beyond Ant and Maven.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up releases=
Posted by Brett Porter <br...@gmail.com>.
> Honestly I don't know. I haven't played with JCE too much, so I have
> no real grasp of it. My guess is that things like armor-armed
> detached signatures (the main use case for Ant tasks or
> download-validation IMHO, encrypt/decrypt doesn't sound like something
> that goes into your build) are far easier to get if you use a
> PGP-aware API directly.
Yes, I thought this was most likely the case. Just thought JCE would
be a good way to get that pluggable provider API that you were looking
for for free.
> In Steve's list of things the Maven2 Ant tasks could potentially do,
> there was an item on PGP validation. Is it soemthing you've already
> started?
Just on my personal wishlist.
> Is this something you'd like to work on together with us so
> that the effort isn't duplicated?
Sounds good to me.
> I don't really care where the tasks get created as long as they are
> under a useful license and all interested people can work on them.
Likewise.
I'd suggest inside Wagon if they were only going to be used via the
artifact antlib. However, if you want to either include these in the
Ant core tasks, or in a separate antlib and don't want to depend on
Wagon, then it would need to be elsewhere.
By the same token, I'd want to be able to use them from Wagon, so they
couldn't be directly dependant on the Ant core library.
If it needs to be an independant component only utilising bouncy
castle/other pgp provider, is it feasible for an antlib to be composed
of two separate parts: the tasks that depend on Ant and a standalone
library that the antlib uses which provides the actual functionality?
Once we sort out the best place to work, we can take the discussion to
that list (or bring other interested people here if this is it).
Thanks,
Brett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up releases=
Posted by Steve Loughran <st...@apache.org>.
Stefan Bodewig wrote:
> On Thu, 5 May 2005, Brett Porter <br...@gmail.com> wrote:
>
>
>>Are the PGP functions exposed through JCE at all?
>
>
> Honestly I don't know. I haven't played with JCE too much, so I have
> no real grasp of it. My guess is that things like armor-armed
> detached signatures (the main use case for Ant tasks or
> download-validation IMHO, encrypt/decrypt doesn't sound like something
> that goes into your build) are far easier to get if you use a
> PGP-aware API directly.
There is a lot of stuff that bouncycastle does outside JCE, like create
SSL certificates.
One thing bouncycastle can't do with JCE is build it with Gump, as the
JCE runtime only works with builds that are signed by someone it trusts.
If you bypass JCE, you can run with builds you do yourself, or which
gump does (if we persuade the BC folk to join gump for the non-JCE bits)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up
releases=
Posted by Stefan Bodewig <bo...@apache.org>.
On Thu, 5 May 2005, Brett Porter <br...@gmail.com> wrote:
> Are the PGP functions exposed through JCE at all?
Honestly I don't know. I haven't played with JCE too much, so I have
no real grasp of it. My guess is that things like armor-armed
detached signatures (the main use case for Ant tasks or
download-validation IMHO, encrypt/decrypt doesn't sound like something
that goes into your build) are far easier to get if you use a
PGP-aware API directly.
> I realise that is 1.4+ (1.3 + ext),
You can use JCE with 1.2 as well.
In Steve's list of things the Maven2 Ant tasks could potentially do,
there was an item on PGP validation. Is it soemthing you've already
started? Is this something you'd like to work on together with us so
that the effort isn't duplicated?
I don't really care where the tasks get created as long as they are
under a useful license and all interested people can work on them.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up releases=
Posted by Brett Porter <br...@gmail.com>.
> > [2] - http://www.cryptix.org/ OpenPGP
>
> looks like a PGP provider abstraction could be useful indeed. License
> is compatible (BSDish) and people may like to have a choice.
(I've been tossing this around for a while myself).
Are the PGP functions exposed through JCE at all? I realise that is
1.4+ (1.3 + ext), but it's probably a convenient way to easily plug in
new ones. Bouncycastle at least exposes their block cipher.
I preferred bouncycastle over cryptix myself, but YMMV. Being written
by some Australians helps ;) From a more practical standpoint, I found
the source code cleaner and easier to read which was helpful in what I
was trying to do with it. Never had any problems with it.
Cheers,
Brett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up
releases=
Posted by Stefan Bodewig <bo...@apache.org>.
On Wed, 04 May 2005, Stephane Bailliez <sb...@apache.org> wrote:
> Stefan Bodewig wrote:
>
>>Interested in lending a hand if I start to dump code into a sandbox
>>antlib?
>>
>>
> Not sure what hand size you will get :)
I'll take any size as long as I can use it to pull you back into ant
development ;-)
> Otherwise I have heard of [2] but don't know exactly what it's
> worth.
> [2] - http://www.cryptix.org/ OpenPGP
looks like a PGP provider abstraction could be useful indeed. License
is compatible (BSDish) and people may like to have a choice.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: PGP tasks (was Re: proposed build.xml changes to speed up releases=
Posted by Stephane Bailliez <sb...@apache.org>.
Stefan Bodewig wrote:
>Interested in lending a hand if I start to dump code into a sandbox
>antlib?
>
>
Not sure what hand size you will get :)
>I've just downloaded the source package of the openpgp library and
>org.bouncycastle.openpgp.examples.DetachedSignatureProcessor has all
>the code needed for signing and verifying signatures. Doesn't look
>too hard to steal.
>
>All Bouncycastle[1] stuff is MIT licensed, so fully Apache Software
>License compatible - and all the crypto stuff would be done by the
>library so our tasks wouldn't need to consider silly crypto laws
>either.
>
>
There is some outdated information in [1], but might be useful.
Otherwise I have heard of [2] but don't know exactly what it's worth.
[1] - *http://tinyurl.com/ay29q
[2] - http://www.cryptix.org/ OpenPGP
*
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org