On Wed, 2004-01-07 at 10:45, Rafal Krzewski wrote: > Jason van Zyl wrote: > > > - include a pointer to an md5 file for the bundle inside the bundle and > > the location must be a public location on the project's site so > > obviously a developer must have access to this site. > > > > - push the bundle to a machine where the md5 file for the bundle can be > > retrieved and verified. > > > > - if the bundle passes mustard it goes to a directory where it can be > > sync'd by the ibiblio folks. > > This is nice and simple but how do you prevent Joe from uploading a > bundle that claims that it contains Mike's sofware, pointing to a > website controled by Joe as the location of the MD5.
It has to be the official location of the project's website not just any random site controlled by Joe. That's in the first point above. > If we had a policy that groupId == project's website hostname, and > looked for the md5 in the location like > http://${groupId}/bundles/${bundleName}.md5 > the scheme would probably be sufficient (Joe wouldn't be able to > mess with Mikes software, unless he broke into his website). > Unfortunately we don't have such policy, and it doesn't seem likely that > we can introduce it at this point - virtually every POM in existence > would have to be alterted. > > I think only reasonably safe way of doing this is passing <groupId;pkey> > pairs to ibiblio over some sort of trusted channel, and signing the > bundle md5s. > The 'trusted channel' above could be PGP mail - ibibilio should keep the > infomation who sent the pkey - this person vouches for artifact integrity. The artifacts would not go directly to ibiblio, they would be vetted elsewhere before being uploaded to ibiblio. I wouldn't make the ibiblio admins responsible for artifacts we wanted placed in the repository. > R. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- jvz. Jason van Zyl [EMAIL PROTECTED] http://tambora.zenplex.org In short, man creates for himself a new religion of a rational and technical order to justify his work and to be justified in it. -- Jacques Ellul, The Technological Society --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
