enforced signing of artifacts, [was maven repository]

["Brian E. Fox" <br...@reply.infinity.nu>]

>I really don't care what cuts across the grain of Maven.  I do care
about
>the established principle that people must make a deliberate decision
to use
>Incubator artifacts.  If Maven would finally support enforcing signing
of
>artifacts, as they have been asked to do for years, we could use an
>Incubator-specific signing key, forcing people to approve the use of
>Incubator artifacts, regardless of download location.

Can you elaborate more on what you mean here? I've been on the Maven PMC
for over a year now and this is the first I've heard of it.

We do support signing of artifacts and all the maven releases are
signed. We obviously don't control all the other Apache projects in a
way to enforce that they sign their artifacts. 




---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Robert Burrell Donkin <ro...@gmail.com>]

On 6/3/08, Gilles Scokart <gs...@gmail.com> wrote:
> I thought this thread started with the idea : if maven would be able
> to validate signature, we could use this feature to inform someone
> that he is using incubator artefacts.
> I thought the idea that launched this thread was to have a unique key
> for the incubator that the user has as to trust if he want to use
> incubator artefacts.

Stated like that then the artifact would need to be encrypted
> My question was in that context.

AIUI maven decided against enforcing download verification. So
requires the maven team developing this feature first.

Robert
>
> 2008/6/2 Noel J. Bergman <no...@devtech.com>:
>> Gilles Scokart wrote:
>>
>>> Noel J. Bergman:
>>> > Implement that, and we're fine.  We will
>>> > require Incubator artifacts to be signed by a designated key available
>> to
>>> > the PMC, and once a user has acknowledged that they accept such
>> Incubator
>>> > signed artifacts, maven can do what it wants with them.
>>>
>>>        --- Noel
>>
>>> Is that really possible?
>>
>> Very.
>>
>>> I remember some discussion on the infra list about an ASF wide signature.
>>> And the conclusion was always the same: how to secure a key that can be
>>> used by so many people.  If I remember well, some solution were proposed,
>>> but they were quiet heavy.  Do we have a solution for that?
>>
>> There are various things that can be done with respect to key management.
>> Personally, I would not go with a single key.  But maven ought to maintain
>> a
>> trust file, with options to accept files that are signed with a trusted
>> key,
>> or signed by a key that is signed by a trusted key, etc.  The first thing
>> that has to happen is for the Maven PMC to make security a priority.
>>
>>        --- Noel
>>
>
> --
> Gilles Scokart
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Gilles Scokart <gs...@gmail.com>]

I thought this thread started with the idea : if maven would be able
to validate signature, we could use this feature to inform someone
that he is using incubator artefacts.
I thought the idea that launched this thread was to have a unique key
for the incubator that the user has as to trust if he want to use
incubator artefacts.

My question was in that context.



2008/6/2 Noel J. Bergman <no...@devtech.com>:
> Gilles Scokart wrote:
>
>> Noel J. Bergman:
>> > Implement that, and we're fine.  We will
>> > require Incubator artifacts to be signed by a designated key available
> to
>> > the PMC, and once a user has acknowledged that they accept such
> Incubator
>> > signed artifacts, maven can do what it wants with them.
>>
>>        --- Noel
>
>> Is that really possible?
>
> Very.
>
>> I remember some discussion on the infra list about an ASF wide signature.
>> And the conclusion was always the same: how to secure a key that can be
>> used by so many people.  If I remember well, some solution were proposed,
>> but they were quiet heavy.  Do we have a solution for that?
>
> There are various things that can be done with respect to key management.
> Personally, I would not go with a single key.  But maven ought to maintain a
> trust file, with options to accept files that are signed with a trusted key,
> or signed by a key that is signed by a trusted key, etc.  The first thing
> that has to happen is for the Maven PMC to make security a priority.
>
>        --- Noel
>

-- 
Gilles Scokart

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Robert Burrell Donkin <ro...@gmail.com>]

On 6/2/08, Noel J. Bergman <no...@devtech.com> wrote:
> Robert Burrell Donkin wrote:
>
>> my conclusion was that meta-data signed by [keys in the] WoT would be good
> enough.
>
>> there's no need to distribute a master key
>
> +1
>
>> key management is tricky
>
> Not that tricky.  Let's not make as if this isn't done routinely elsewhere.

>> this is where the complexity lies. IIRC it was quite tough to come up
>> with a user friendly trust model that worked correctly.
>
> Not so much, seeing as how you just agreed with CLR:
>
>> For example, "trust all unsigned", "trust all signed", "trust all signed
> in
>> Apache WOT" might be reasonable policies declared by the user.
IMHO these are all reasonable policies. But users are used to thinking
in black and white. They want software just to work.

>> we don't actually require that the artifacts are signed: just
>> meta-data about the artifacts
>
> What do you think a signature is in the first place?  It is a digitally
> encrypted hash, i.e., meta-data.
The idea is that you sign finely grained domain specific meta-data.
For example, I would not be willing to sign a key unless I've met the
owner F2F but I would be willing to sign meta-data linking a key to an
incubator project.

Robert

>
> 	--- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: enforced signing of artifacts, [was maven repository]

["Noel J. Bergman" <no...@devtech.com>]

Robert Burrell Donkin wrote:

> my conclusion was that meta-data signed by [keys in the] WoT would be good
enough.

> there's no need to distribute a master key

+1

> key management is tricky

Not that tricky.  Let's not make as if this isn't done routinely elsewhere.

> this is where the complexity lies. IIRC it was quite tough to come up
> with a user friendly trust model that worked correctly.

Not so much, seeing as how you just agreed with CLR:

> For example, "trust all unsigned", "trust all signed", "trust all signed
in
> Apache WOT" might be reasonable policies declared by the user.

> we don't actually require that the artifacts are signed: just
> meta-data about the artifacts

What do you think a signature is in the first place?  It is a digitally
encrypted hash, i.e., meta-data.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Robert Burrell Donkin <ro...@gmail.com>]

On Mon, Jun 2, 2008 at 7:29 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:
> Noel J. Bergman wrote:
>>
>> Gilles Scokart wrote:
>>
>>> Noel J. Bergman:
>>>>
>>>> Implement that, and we're fine.  We will
>>>> require Incubator artifacts to be signed by a designated key available
>>
>> to
>>>>
>>>> the PMC, and once a user has acknowledged that they accept such
>>
>> Incubator
>>>>
>>>> signed artifacts, maven can do what it wants with them.
>>>
>>>       --- Noel
>>
>>> Is that really possible?
>>
>> Very.
>
> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust.  This is what gpg is
> good at.

the short answer is not quite (trust models are too different). my
conclusion was that meta-data signed by a short list of keys in the
WoT would be good enough.

>>> I remember some discussion on the infra list about an ASF wide signature.
>>> And the conclusion was always the same: how to secure a key that can be
>>> used by so many people.  If I remember well, some solution were proposed,
>>> but they were quiet heavy.  Do we have a solution for that?

there's no need to distribute a master key

>> There are various things that can be done with respect to key management.

key management is tricky

>> Personally, I would not go with a single key.  But maven ought to maintain
>> a
>> trust file, with options to accept files that are signed with a trusted
>> key,
>> or signed by a key that is signed by a trusted key, etc.

this is where the complexity lies. IIRC it was quite tough to come up
with a user friendly trust model that worked correctly.

>>  The first thing
>> that has to happen is for the Maven PMC to make security a priority.
>
> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months).  But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.

we don't actually require that the artifacts are signed: just
meta-data about the artifacts

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: enforced signing of artifacts, [was maven repository]

["Noel J. Bergman" <no...@devtech.com>]

William A. Rowe, Jr. wrote:

> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust.  This is what gpg is
> good at.

First get the code built into Maven for actually checking the signatures and we're golden, with multiple options.

> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months).  But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.

I've been wondering when you'd come back to life, but you may have been waiting for me.  I actually had time the past week.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Noel J. Bergman wrote:
> Gilles Scokart wrote:
> 
>> Noel J. Bergman:
>>> Implement that, and we're fine.  We will
>>> require Incubator artifacts to be signed by a designated key available
> to
>>> the PMC, and once a user has acknowledged that they accept such
> Incubator
>>> signed artifacts, maven can do what it wants with them.
>>        --- Noel
> 
>> Is that really possible?
> 
> Very.

Why is it not equally possible to validate against a short list of keys
(e.g. infra PMC members) and their immediate trust.  This is what gpg is
good at.

>> I remember some discussion on the infra list about an ASF wide signature.
>> And the conclusion was always the same: how to secure a key that can be
>> used by so many people.  If I remember well, some solution were proposed,
>> but they were quiet heavy.  Do we have a solution for that?
> 
> There are various things that can be done with respect to key management.
> Personally, I would not go with a single key.  But maven ought to maintain a
> trust file, with options to accept files that are signed with a trusted key,
> or signed by a key that is signed by a trusted key, etc.  The first thing
> that has to happen is for the Maven PMC to make security a priority.

As far as signing jars, microsoft authenticode etc, Noel and I planned to
create such a service (although we've both been really busy in the past few
months).  But it will always require that the artifacts are already signed
by someone in the ASF's web-of-trust via pgp.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: enforced signing of artifacts, [was maven repository]

["Noel J. Bergman" <no...@devtech.com>]

Gilles Scokart wrote:

> Noel J. Bergman:
> > Implement that, and we're fine.  We will
> > require Incubator artifacts to be signed by a designated key available
to
> > the PMC, and once a user has acknowledged that they accept such
Incubator
> > signed artifacts, maven can do what it wants with them.
>
>        --- Noel

> Is that really possible?

Very.

> I remember some discussion on the infra list about an ASF wide signature.
> And the conclusion was always the same: how to secure a key that can be
> used by so many people.  If I remember well, some solution were proposed,
> but they were quiet heavy.  Do we have a solution for that?

There are various things that can be done with respect to key management.
Personally, I would not go with a single key.  But maven ought to maintain a
trust file, with options to accept files that are signed with a trusted key,
or signed by a key that is signed by a trusted key, etc.  The first thing
that has to happen is for the Maven PMC to make security a priority.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Gilles Scokart <gs...@gmail.com>]

2008/5/31 Noel J. Bergman <no...@devtech.com>:

> Implement that, and we're fine.  We will
> require Incubator artifacts to be signed by a designated key available to
> the PMC, and once a user has acknowledged that they accept such Incubator
> signed artifacts, maven can do what it wants with them.
>
>        --- Noel
>

Is that really possible?  I remember some discussion on the infra list
about an ASF wide signature.  And the conclusion was always the same :
how to secure a key that can be used by so many people.  If I remember
well, some solution were proposed, but they were quiet heavy.
Do we have a solution for that?



-- 
Gilles Scokart

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[James Carman <ja...@carmanconsulting.com>]

On Sat, May 31, 2008 at 9:05 AM, James Carman
<ja...@carmanconsulting.com> wrote:
> On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin
> <ro...@gmail.com> wrote:
>
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
>
> I think it very much is a maven issue.  Maven is the tool that
> automatically downloads jar files from the public repository
> automagically (I love that by the way).  If there were a setting in
> maven that I could set that says "don't add anything to my local maven
> repository that isn't signed by someone that I trust", then I think we
> would be good here.  I don't know if I'd make it a required feature,
> though.  I think making it optional would be okay.  Maven should also
> ask you if you want to trust a signer if it hasn't seen it before
> (kind of like how webstart does).  Perhaps it could be a three-choice
> setting:
>
> 1.  Allow any jars from the central repository.
> 2.  Ask me before allowing jars from someone I haven't specifically
> trusted before.
> 3.  Don't allow any jars signed by people I do not trust.
>
> This, of course, would mean that we should probably set up a release
> signing committee so that we only use one signing key from the ASF
> (users shouldn't have to say that they trust jars signed by me, and
> Robert, and Brett, and Noel).  The members of the committee would be
> the only ones with write access to the maven rsync directory.  The
> requests could be set up in JIRA or something (hopefully there would
> be a committee member on each PMC).

I guess we would probably want to set up a signing key for each PMC.
Since saying that I approve of using releases from one podling doesn't
necessarily mean I approve of using releases from another podling.
For example, I may trust JSecurity if I am a long-time user of it, but
I don't trust Imperius, because I don't know what the heck it is.
Once a podling graduates, would we need to generate a new signing key
for it (without the "incubating")?

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[James Carman <ja...@carmanconsulting.com>]

On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin
<ro...@gmail.com> wrote:

> IMO this isn't really a maven issue: basic checks should be performed
> on all releases. i favour a private subversion repository with custom
> hooks for release publishing.

I think it very much is a maven issue.  Maven is the tool that
automatically downloads jar files from the public repository
automagically (I love that by the way).  If there were a setting in
maven that I could set that says "don't add anything to my local maven
repository that isn't signed by someone that I trust", then I think we
would be good here.  I don't know if I'd make it a required feature,
though.  I think making it optional would be okay.  Maven should also
ask you if you want to trust a signer if it hasn't seen it before
(kind of like how webstart does).  Perhaps it could be a three-choice
setting:

1.  Allow any jars from the central repository.
2.  Ask me before allowing jars from someone I haven't specifically
trusted before.
3.  Don't allow any jars signed by people I do not trust.

This, of course, would mean that we should probably set up a release
signing committee so that we only use one signing key from the ASF
(users shouldn't have to say that they trust jars signed by me, and
Robert, and Brett, and Noel).  The members of the committee would be
the only ones with write access to the maven rsync directory.  The
requests could be set up in JIRA or something (hopefully there would
be a committee member on each PMC).

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: enforced signing of artifacts, [was maven repository]

["Noel J. Bergman" <no...@devtech.com>]

Brian E. Fox wrote:

> I think this thread belongs on the Maven lists as it's is only
> tangential to the decision about the incubator repository.

Well, that's not entirely true.  It is rather key to a satisfactory
resolution, with the possible exception of some interim measure.

> The process for getting new features included is to write a proposal and
> put it on the wiki [1]

> [1] https://docs.codehaus.org/display/MAVENUSER/User+Proposals

Important project content is being maintained on non-ASF infrastructure?

> and then email the dev list to begin a discussion. There are some good
ideas here
> but they need to be flushed out by the Maven community as a whole.

Feel free.  Personally, I'll be pleasantly surprised if anything comes of
it, because no one in Maven-land seems to consider security seriously --- or
even at all.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: enforced signing of artifacts, [was maven repository]

["Brian E. Fox" <br...@reply.infinity.nu>]

I think this thread belongs on the Maven lists as it's is only
tangential to the decision about the incubator repository. 

The process for getting new features included is to write a proposal and
put it on the wiki [1] and then email the dev list to begin a
discussion. There are some good ideas here but they need to be flushed
out by the Maven community as a whole.


[1] https://docs.codehaus.org/display/MAVENUSER/User+Proposals

-----Original Message-----
From: Robert Burrell Donkin [mailto:robertburrelldonkin@gmail.com] 
Sent: Monday, June 02, 2008 2:40 PM
To: general@incubator.apache.org
Subject: Re: enforced signing of artifacts, [was maven repository]

On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <Cr...@sun.com>
wrote:
>
> On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
>
>> On Sat, May 31, 2008 at 3:42 AM, Brett Porter
<br...@gmail.com>
>> wrote:
>>>
>>> 2008/5/31 Brian E. Fox <br...@reply.infinity.nu>:
>>>>
>>>> Can you elaborate more on what you mean here? I've been on the
Maven PMC
>>>> for over a year now and this is the first I've heard of it.
>>>>
>>>> We do support signing of artifacts and all the maven releases are
>>>> signed. We obviously don't control all the other Apache projects in
a
>>>> way to enforce that they sign their artifacts.
>>>
>>> Noel is referring to enforcing checking signatures, not signing
them.
>>> I've had a proposal out there for some time which anyone is free to
>>> comment on:
http://docs.codehaus.org/display/MAVEN/Repository+Security
>>>
>>> There hasn't been a lot of traction behind it so far. Ease of use,
>>> especially OOTB, is probably one of the main concerns.
>>
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
>
> I think that maven basically changes the equation, since it is
responsible
> for automatically downloading artifacts, and this feature is a huge
> usability win. I think that currently, usability trumps security.
>
> Since maven automatically downloads artifacts, it's technically
feasible for
> maven to verify the signatures of those artifacts and allow for
control by
> the user over whether or not to trust the artifacts.
>
> For example, "trust all unsigned", "trust all signed", "trust all
signed in
> Apache WOT" might be reasonable policies declared by the user.

+1

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Robert Burrell Donkin <ro...@gmail.com>]

On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <Cr...@sun.com> wrote:
>
> On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
>
>> On Sat, May 31, 2008 at 3:42 AM, Brett Porter <br...@gmail.com>
>> wrote:
>>>
>>> 2008/5/31 Brian E. Fox <br...@reply.infinity.nu>:
>>>>
>>>> Can you elaborate more on what you mean here? I've been on the Maven PMC
>>>> for over a year now and this is the first I've heard of it.
>>>>
>>>> We do support signing of artifacts and all the maven releases are
>>>> signed. We obviously don't control all the other Apache projects in a
>>>> way to enforce that they sign their artifacts.
>>>
>>> Noel is referring to enforcing checking signatures, not signing them.
>>> I've had a proposal out there for some time which anyone is free to
>>> comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security
>>>
>>> There hasn't been a lot of traction behind it so far. Ease of use,
>>> especially OOTB, is probably one of the main concerns.
>>
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
>
> I think that maven basically changes the equation, since it is responsible
> for automatically downloading artifacts, and this feature is a huge
> usability win. I think that currently, usability trumps security.
>
> Since maven automatically downloads artifacts, it's technically feasible for
> maven to verify the signatures of those artifacts and allow for control by
> the user over whether or not to trust the artifacts.
>
> For example, "trust all unsigned", "trust all signed", "trust all signed in
> Apache WOT" might be reasonable policies declared by the user.

+1

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Craig L Russell <Cr...@Sun.COM>]

On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:

> On Sat, May 31, 2008 at 3:42 AM, Brett Porter  
> <br...@gmail.com> wrote:
>> 2008/5/31 Brian E. Fox <br...@reply.infinity.nu>:
>>> Can you elaborate more on what you mean here? I've been on the  
>>> Maven PMC
>>> for over a year now and this is the first I've heard of it.
>>>
>>> We do support signing of artifacts and all the maven releases are
>>> signed. We obviously don't control all the other Apache projects  
>>> in a
>>> way to enforce that they sign their artifacts.
>>
>> Noel is referring to enforcing checking signatures, not signing them.
>> I've had a proposal out there for some time which anyone is free to
>> comment on: http://docs.codehaus.org/display/MAVEN/Repository 
>> +Security
>>
>> There hasn't been a lot of traction behind it so far. Ease of use,
>> especially OOTB, is probably one of the main concerns.
>
> IMO this isn't really a maven issue: basic checks should be performed
> on all releases. i favour a private subversion repository with custom
> hooks for release publishing.

I think that maven basically changes the equation, since it is  
responsible for automatically downloading artifacts, and this feature  
is a huge usability win. I think that currently, usability trumps  
security.

Since maven automatically downloads artifacts, it's technically  
feasible for maven to verify the signatures of those artifacts and  
allow for control by the user over whether or not to trust the  
artifacts.

For example, "trust all unsigned", "trust all signed", "trust all  
signed in Apache WOT" might be reasonable policies declared by the user.

Craig
>
>
> - robert
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!

Re: enforced signing of artifacts, [was maven repository]

[Robert Burrell Donkin <ro...@gmail.com>]

On Sat, May 31, 2008 at 3:42 AM, Brett Porter <br...@gmail.com> wrote:
> 2008/5/31 Brian E. Fox <br...@reply.infinity.nu>:
>> Can you elaborate more on what you mean here? I've been on the Maven PMC
>> for over a year now and this is the first I've heard of it.
>>
>> We do support signing of artifacts and all the maven releases are
>> signed. We obviously don't control all the other Apache projects in a
>> way to enforce that they sign their artifacts.
>
> Noel is referring to enforcing checking signatures, not signing them.
> I've had a proposal out there for some time which anyone is free to
> comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security
>
> There hasn't been a lot of traction behind it so far. Ease of use,
> especially OOTB, is probably one of the main concerns.

IMO this isn't really a maven issue: basic checks should be performed
on all releases. i favour a private subversion repository with custom
hooks for release publishing.

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: enforced signing of artifacts, [was maven repository]

[Brett Porter <br...@gmail.com>]

2008/5/31 Brian E. Fox <br...@reply.infinity.nu>:
> Can you elaborate more on what you mean here? I've been on the Maven PMC
> for over a year now and this is the first I've heard of it.
>
> We do support signing of artifacts and all the maven releases are
> signed. We obviously don't control all the other Apache projects in a
> way to enforce that they sign their artifacts.

Noel is referring to enforcing checking signatures, not signing them.
I've had a proposal out there for some time which anyone is free to
comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security

There hasn't been a lot of traction behind it so far. Ease of use,
especially OOTB, is probably one of the main concerns.

- Brett

-- 
Brett Porter
Blog: http://blogs.exist.com/bporter/

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: enforced signing of artifacts, [was maven repository]

["Noel J. Bergman" <no...@devtech.com>]

Brian E. Fox wrote:

> > I really don't care what cuts across the grain of Maven.  I do care
> > about the established principle that people must make a deliberate
> > decision to use Incubator artifacts.  If Maven would finally support
> > enforcing signing of artifacts, as they have been asked to do for
> > years, we could use an Incubator-specific signing key, forcing
> > people to approve the use of Incubator artifacts, regardless of
> > download location.

> Can you elaborate more on what you mean here? I've been on the
>  Maven PMC for over a year now and this is the first I've heard of it.

Ask some of the old(er)-timers on the PMC.  They have heard this from
multiple channels over a period of years, both because of the Incubator's
needs and the security aspect.  On the latter, there have been instances of
supposedly ASF released code being put into the repositories by effectively
rogue developers.  Responsible users of Maven don't use unsecured, unvetted,
public repositories; they manually vet and approve artifacts, and maintain
their own local repositories.

> We do support signing of artifacts and all the maven releases are
> signed.  We obviously don't control all the other Apache projects
> in a way to enforce that they sign their artifacts.

The ASF can enforce that policy for all published artifacts.  But Maven does
not require that artifacts be signed *AND* require that the user running the
maven build APPROVE the signer.  Implement that, and we're fine.  We will
require Incubator artifacts to be signed by a designated key available to
the PMC, and once a user has acknowledged that they accept such Incubator
signed artifacts, maven can do what it wants with them.

	--- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org