You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Gilles Scokart <gs...@gmail.com> on 2008/06/02 08:58:36 UTC
Re: enforced signing of artifacts, [was maven repository]
2008/5/31 Noel J. Bergman <no...@devtech.com>:
> Implement that, and we're fine. We will
> require Incubator artifacts to be signed by a designated key available to
> the PMC, and once a user has acknowledged that they accept such Incubator
> signed artifacts, maven can do what it wants with them.
>
> --- Noel
>
Is that really possible? I remember some discussion on the infra list
about an ASF wide signature. And the conclusion was always the same :
how to secure a key that can be used by so many people. If I remember
well, some solution were proposed, but they were quiet heavy.
Do we have a solution for that?
--
Gilles Scokart
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: enforced signing of artifacts, [was maven repository]
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On 6/3/08, Gilles Scokart <gs...@gmail.com> wrote:
> I thought this thread started with the idea : if maven would be able
> to validate signature, we could use this feature to inform someone
> that he is using incubator artefacts.
> I thought the idea that launched this thread was to have a unique key
> for the incubator that the user has as to trust if he want to use
> incubator artefacts.
Stated like that then the artifact would need to be encrypted
> My question was in that context.
AIUI maven decided against enforcing download verification. So
requires the maven team developing this feature first.
Robert
>
> 2008/6/2 Noel J. Bergman <no...@devtech.com>:
>> Gilles Scokart wrote:
>>
>>> Noel J. Bergman:
>>> > Implement that, and we're fine. We will
>>> > require Incubator artifacts to be signed by a designated key available
>> to
>>> > the PMC, and once a user has acknowledged that they accept such
>> Incubator
>>> > signed artifacts, maven can do what it wants with them.
>>>
>>> --- Noel
>>
>>> Is that really possible?
>>
>> Very.
>>
>>> I remember some discussion on the infra list about an ASF wide signature.
>>> And the conclusion was always the same: how to secure a key that can be
>>> used by so many people. If I remember well, some solution were proposed,
>>> but they were quiet heavy. Do we have a solution for that?
>>
>> There are various things that can be done with respect to key management.
>> Personally, I would not go with a single key. But maven ought to maintain
>> a
>> trust file, with options to accept files that are signed with a trusted
>> key,
>> or signed by a key that is signed by a trusted key, etc. The first thing
>> that has to happen is for the Maven PMC to make security a priority.
>>
>> --- Noel
>>
>
> --
> Gilles Scokart
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: enforced signing of artifacts, [was maven repository]
Posted by Gilles Scokart <gs...@gmail.com>.
I thought this thread started with the idea : if maven would be able
to validate signature, we could use this feature to inform someone
that he is using incubator artefacts.
I thought the idea that launched this thread was to have a unique key
for the incubator that the user has as to trust if he want to use
incubator artefacts.
My question was in that context.
2008/6/2 Noel J. Bergman <no...@devtech.com>:
> Gilles Scokart wrote:
>
>> Noel J. Bergman:
>> > Implement that, and we're fine. We will
>> > require Incubator artifacts to be signed by a designated key available
> to
>> > the PMC, and once a user has acknowledged that they accept such
> Incubator
>> > signed artifacts, maven can do what it wants with them.
>>
>> --- Noel
>
>> Is that really possible?
>
> Very.
>
>> I remember some discussion on the infra list about an ASF wide signature.
>> And the conclusion was always the same: how to secure a key that can be
>> used by so many people. If I remember well, some solution were proposed,
>> but they were quiet heavy. Do we have a solution for that?
>
> There are various things that can be done with respect to key management.
> Personally, I would not go with a single key. But maven ought to maintain a
> trust file, with options to accept files that are signed with a trusted key,
> or signed by a key that is signed by a trusted key, etc. The first thing
> that has to happen is for the Maven PMC to make security a priority.
>
> --- Noel
>
--
Gilles Scokart
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: enforced signing of artifacts, [was maven repository]
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On 6/2/08, Noel J. Bergman <no...@devtech.com> wrote:
> Robert Burrell Donkin wrote:
>
>> my conclusion was that meta-data signed by [keys in the] WoT would be good
> enough.
>
>> there's no need to distribute a master key
>
> +1
>
>> key management is tricky
>
> Not that tricky. Let's not make as if this isn't done routinely elsewhere.
>> this is where the complexity lies. IIRC it was quite tough to come up
>> with a user friendly trust model that worked correctly.
>
> Not so much, seeing as how you just agreed with CLR:
>
>> For example, "trust all unsigned", "trust all signed", "trust all signed
> in
>> Apache WOT" might be reasonable policies declared by the user.
IMHO these are all reasonable policies. But users are used to thinking
in black and white. They want software just to work.
>> we don't actually require that the artifacts are signed: just
>> meta-data about the artifacts
>
> What do you think a signature is in the first place? It is a digitally
> encrypted hash, i.e., meta-data.
The idea is that you sign finely grained domain specific meta-data.
For example, I would not be willing to sign a key unless I've met the
owner F2F but I would be willing to sign meta-data linking a key to an
incubator project.
Robert
>
> --- Noel
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: enforced signing of artifacts, [was maven repository]
Posted by "Noel J. Bergman" <no...@devtech.com>.
Robert Burrell Donkin wrote:
> my conclusion was that meta-data signed by [keys in the] WoT would be good
enough.
> there's no need to distribute a master key
+1
> key management is tricky
Not that tricky. Let's not make as if this isn't done routinely elsewhere.
> this is where the complexity lies. IIRC it was quite tough to come up
> with a user friendly trust model that worked correctly.
Not so much, seeing as how you just agreed with CLR:
> For example, "trust all unsigned", "trust all signed", "trust all signed
in
> Apache WOT" might be reasonable policies declared by the user.
> we don't actually require that the artifacts are signed: just
> meta-data about the artifacts
What do you think a signature is in the first place? It is a digitally
encrypted hash, i.e., meta-data.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: enforced signing of artifacts, [was maven repository]
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Mon, Jun 2, 2008 at 7:29 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:
> Noel J. Bergman wrote:
>>
>> Gilles Scokart wrote:
>>
>>> Noel J. Bergman:
>>>>
>>>> Implement that, and we're fine. We will
>>>> require Incubator artifacts to be signed by a designated key available
>>
>> to
>>>>
>>>> the PMC, and once a user has acknowledged that they accept such
>>
>> Incubator
>>>>
>>>> signed artifacts, maven can do what it wants with them.
>>>
>>> --- Noel
>>
>>> Is that really possible?
>>
>> Very.
>
> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust. This is what gpg is
> good at.
the short answer is not quite (trust models are too different). my
conclusion was that meta-data signed by a short list of keys in the
WoT would be good enough.
>>> I remember some discussion on the infra list about an ASF wide signature.
>>> And the conclusion was always the same: how to secure a key that can be
>>> used by so many people. If I remember well, some solution were proposed,
>>> but they were quiet heavy. Do we have a solution for that?
there's no need to distribute a master key
>> There are various things that can be done with respect to key management.
key management is tricky
>> Personally, I would not go with a single key. But maven ought to maintain
>> a
>> trust file, with options to accept files that are signed with a trusted
>> key,
>> or signed by a key that is signed by a trusted key, etc.
this is where the complexity lies. IIRC it was quite tough to come up
with a user friendly trust model that worked correctly.
>> The first thing
>> that has to happen is for the Maven PMC to make security a priority.
>
> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months). But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.
we don't actually require that the artifacts are signed: just
meta-data about the artifacts
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: enforced signing of artifacts, [was maven repository]
Posted by "Noel J. Bergman" <no...@devtech.com>.
William A. Rowe, Jr. wrote:
> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust. This is what gpg is
> good at.
First get the code built into Maven for actually checking the signatures and we're golden, with multiple options.
> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months). But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.
I've been wondering when you'd come back to life, but you may have been waiting for me. I actually had time the past week.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: enforced signing of artifacts, [was maven repository]
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Noel J. Bergman wrote:
> Gilles Scokart wrote:
>
>> Noel J. Bergman:
>>> Implement that, and we're fine. We will
>>> require Incubator artifacts to be signed by a designated key available
> to
>>> the PMC, and once a user has acknowledged that they accept such
> Incubator
>>> signed artifacts, maven can do what it wants with them.
>> --- Noel
>
>> Is that really possible?
>
> Very.
Why is it not equally possible to validate against a short list of keys
(e.g. infra PMC members) and their immediate trust. This is what gpg is
good at.
>> I remember some discussion on the infra list about an ASF wide signature.
>> And the conclusion was always the same: how to secure a key that can be
>> used by so many people. If I remember well, some solution were proposed,
>> but they were quiet heavy. Do we have a solution for that?
>
> There are various things that can be done with respect to key management.
> Personally, I would not go with a single key. But maven ought to maintain a
> trust file, with options to accept files that are signed with a trusted key,
> or signed by a key that is signed by a trusted key, etc. The first thing
> that has to happen is for the Maven PMC to make security a priority.
As far as signing jars, microsoft authenticode etc, Noel and I planned to
create such a service (although we've both been really busy in the past few
months). But it will always require that the artifacts are already signed
by someone in the ASF's web-of-trust via pgp.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
RE: enforced signing of artifacts, [was maven repository]
Posted by "Noel J. Bergman" <no...@devtech.com>.
Gilles Scokart wrote:
> Noel J. Bergman:
> > Implement that, and we're fine. We will
> > require Incubator artifacts to be signed by a designated key available
to
> > the PMC, and once a user has acknowledged that they accept such
Incubator
> > signed artifacts, maven can do what it wants with them.
>
> --- Noel
> Is that really possible?
Very.
> I remember some discussion on the infra list about an ASF wide signature.
> And the conclusion was always the same: how to secure a key that can be
> used by so many people. If I remember well, some solution were proposed,
> but they were quiet heavy. Do we have a solution for that?
There are various things that can be done with respect to key management.
Personally, I would not go with a single key. But maven ought to maintain a
trust file, with options to accept files that are signed with a trusted key,
or signed by a key that is signed by a trusted key, etc. The first thing
that has to happen is for the Maven PMC to make security a priority.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org