You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Benson Margulies <bi...@gmail.com> on 2011/08/31 16:42:08 UTC
Eclipse plugins and X.509 signatures
I've been helping Vincent & Hervé push Vincent's Eclipse plugins for
Doxia file formats towards a release. I've got a tentative plan for
code-signing and I felt that it should be exposed on the dev list.
Eclipse uses standard Java X.509 JAR signing. The Apache Directory
project also distributes Eclipse plugins, and handles this as follows:
1) They use a self-signed X.509 signature. In my view, the way to do
this consistent with Apache process is to have each person serving as
RM on this stuff generate their own and check the public key into the
tree.
2) They also attach the usual sort of PGP detached signature files to
all the files that they distribute. We can't do this with Maven in
this case, at least not very well.
I'm going to proceed down this line unless someone objects. Note that
the ASF infrastructure site has some web pages that suggest the
existence of an X.509 CA, but I can't find any evidence so far that it
is alive.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Eclipse plugins and X.509 signatures
Posted by Benson Margulies <bi...@gmail.com>.
On Wed, Aug 31, 2011 at 10:52 AM, Igor Fedorenko <ig...@ifedorenko.com> wrote:
> Beware that Eclipse P2 does not like self-signed certificates all that much.
Gah. That's a pretty good reason to punt and just do the detached PGP
sigs to make the release police happy.
Unless someone wants to help me convince the board to pay for a
commercial cert and come up with a way to deploy it as they do at the
Eclipse foundation.
>
> [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345
>
> --
> Regards,
> Igor
>
> On 11-08-31 10:42 AM, Benson Margulies wrote:
>>
>> I've been helping Vincent& Hervé push Vincent's Eclipse plugins for
>> Doxia file formats towards a release. I've got a tentative plan for
>> code-signing and I felt that it should be exposed on the dev list.
>>
>> Eclipse uses standard Java X.509 JAR signing. The Apache Directory
>> project also distributes Eclipse plugins, and handles this as follows:
>>
>> 1) They use a self-signed X.509 signature. In my view, the way to do
>> this consistent with Apache process is to have each person serving as
>> RM on this stuff generate their own and check the public key into the
>> tree.
>>
>> 2) They also attach the usual sort of PGP detached signature files to
>> all the files that they distribute. We can't do this with Maven in
>> this case, at least not very well.
>>
>> I'm going to proceed down this line unless someone objects. Note that
>> the ASF infrastructure site has some web pages that suggest the
>> existence of an X.509 CA, but I can't find any evidence so far that it
>> is alive.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Eclipse plugins and X.509 signatures
Posted by Benson Margulies <bi...@gmail.com>.
After thinking about Igor's observations here and on the bz referenced
below, I want to offer an alternative proposal.
At Apache, we want to encourage people to actually validate what they
download from us. Given the current state of the X.509 ecosystem and
Eclipse, no actual validation will take place if we self-sign, and
some might argue that we're in fact assisting spoofers.
My alternative proposal is to have no P2 site at all. Instead, simple
put a .zip archive of the P2 site onto our regular release site, with
the regular PGP signatures. The eclipse installation UI is perfectly
happy to consume an archive of a P2 site instead of a URL.
It's slightly less convenient for the end-user, but it's potentially a
lot more secure.
Thoughts?
On Wed, Aug 31, 2011 at 10:52 AM, Igor Fedorenko <ig...@ifedorenko.com> wrote:
> Beware that Eclipse P2 does not like self-signed certificates all that much.
>
> [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345
>
> --
> Regards,
> Igor
>
> On 11-08-31 10:42 AM, Benson Margulies wrote:
>>
>> I've been helping Vincent& Hervé push Vincent's Eclipse plugins for
>> Doxia file formats towards a release. I've got a tentative plan for
>> code-signing and I felt that it should be exposed on the dev list.
>>
>> Eclipse uses standard Java X.509 JAR signing. The Apache Directory
>> project also distributes Eclipse plugins, and handles this as follows:
>>
>> 1) They use a self-signed X.509 signature. In my view, the way to do
>> this consistent with Apache process is to have each person serving as
>> RM on this stuff generate their own and check the public key into the
>> tree.
>>
>> 2) They also attach the usual sort of PGP detached signature files to
>> all the files that they distribute. We can't do this with Maven in
>> this case, at least not very well.
>>
>> I'm going to proceed down this line unless someone objects. Note that
>> the ASF infrastructure site has some web pages that suggest the
>> existence of an X.509 CA, but I can't find any evidence so far that it
>> is alive.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Eclipse plugins and X.509 signatures
Posted by Igor Fedorenko <ig...@ifedorenko.com>.
Beware that Eclipse P2 does not like self-signed certificates all that much.
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345
--
Regards,
Igor
On 11-08-31 10:42 AM, Benson Margulies wrote:
> I've been helping Vincent& Hervé push Vincent's Eclipse plugins for
> Doxia file formats towards a release. I've got a tentative plan for
> code-signing and I felt that it should be exposed on the dev list.
>
> Eclipse uses standard Java X.509 JAR signing. The Apache Directory
> project also distributes Eclipse plugins, and handles this as follows:
>
> 1) They use a self-signed X.509 signature. In my view, the way to do
> this consistent with Apache process is to have each person serving as
> RM on this stuff generate their own and check the public key into the
> tree.
>
> 2) They also attach the usual sort of PGP detached signature files to
> all the files that they distribute. We can't do this with Maven in
> this case, at least not very well.
>
> I'm going to proceed down this line unless someone objects. Note that
> the ASF infrastructure site has some web pages that suggest the
> existence of an X.509 CA, but I can't find any evidence so far that it
> is alive.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org