You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by sebb <se...@gmail.com> on 2019/09/04 12:42:42 UTC
Current state of keys at apache.org (was: PGP-based dependency verification)
On Wed, 4 Sep 2019 at 13:24, Vladimir Sitnikov
<si...@gmail.com> wrote:
>
> However, current state of KEYS at apache.org leaves much to be desired, so
> automatic verification against apache.org is not possible at the moment
> anyway.
What do you mean by that?
Can you provide some examples?
Sebb.
Re: Current state of keys at apache.org (was: PGP-based dependency verification)
Posted by sebb <se...@gmail.com>.
On Wed, 4 Sep 2019 at 13:59, Vladimir Sitnikov
<si...@gmail.com> wrote:
>
> sebb>Can you provide some examples?
>
> 1) META files are often missing.
> For instance: https://www.apache.org/dist/commons/ ,
> https://www.apache.org/dist/httpcomponents/ ,
> https://www.apache.org/dist/logging/ , https://www.apache.org/dist/tika/ ,
> https://www.apache.org/dist/xalan/ , https://www.apache.org/dist/xerces/,
> https://www.apache.org/dist/groovy/, https://www.apache.org/dist/geronimo/ and
> so on.
>
> 2) META files do not describe "who signs Nexus artifacts". In other words,
> it would be nice if META files could specify that "official JMeter jars
> should be signed by ..."
> Current file https://www.apache.org/dist/jmeter/META lists just "binaries/"
> and "sources/", and there's no room for "who signs org.apache.jmeter Maven
> artifacts".
So it's not actually a problem with KEYS files.
AIUI META files were introduced to the ASF fairly recently, and there
has been almost no promotion of their use. I think they were set up by
Henk Penning, who has sadly since passed.
If you wish to help progress them, I suggest you contact
usesr@infra.a.o and/or raise an INFRA JIRA.
AFAICT the ASF META files won't help with checking 3rd party dependencies.
> I do understand that "Maven jars" are convenience-only, however it is
> really sad we use 30 or so different Apache dependencies via Maven jars,
> and we don't really know which PGP keys should we trust.
In which case, I suggest you contact ASF Infra as noted above.
> Vladimir
Re: Current state of keys at apache.org (was: PGP-based dependency verification)
Posted by Vladimir Sitnikov <si...@gmail.com>.
sebb>Can you provide some examples?
1) META files are often missing.
For instance: https://www.apache.org/dist/commons/ ,
https://www.apache.org/dist/httpcomponents/ ,
https://www.apache.org/dist/logging/ , https://www.apache.org/dist/tika/ ,
https://www.apache.org/dist/xalan/ , https://www.apache.org/dist/xerces/,
https://www.apache.org/dist/groovy/, https://www.apache.org/dist/geronimo/ and
so on.
2) META files do not describe "who signs Nexus artifacts". In other words,
it would be nice if META files could specify that "official JMeter jars
should be signed by ..."
Current file https://www.apache.org/dist/jmeter/META lists just "binaries/"
and "sources/", and there's no room for "who signs org.apache.jmeter Maven
artifacts".
I do understand that "Maven jars" are convenience-only, however it is
really sad we use 30 or so different Apache dependencies via Maven jars,
and we don't really know which PGP keys should we trust.
Vladimir