Hi
The attack scenario that I'm trying to guard against is the following:
Stopping an attacker that manages to exploit the our nexus server from
being able to run arbitrary code on all the build servers and developer
machines in our organization.
best regards
Alexander Kjäll
On 06. des. 2016 13:25, Tibor Digana wrote:
What real problem is behind your question?
Are you running any tool which has a problem with signatures in Nexus or
the development process in your company has a problem?
The MD5 is not security nothing but verification of deployed artifact is
identical binary you have downloaded from Nexus, and however GnuPG *.asc is
the real signature of deployer and the KEYS can be found in Apache projects
if really necessary.
You should be always able to verify gpg signatures via (gpg --verify
your-artifact-file.sig your-artifact-file) without adding (<signed-by
algoritm="sha256">XXX</signed-by>) in POM.
On Mon, Dec 5, 2016 at 1:56 AM, John Patrick <nhoj.patr...@gmail.com> wrote:
Hiya,
So currently checksum's are not generated by default... I've submitted
a ticket which switched the install plugin to generate them by
default.
Next step stop using md5 which most have considered dead for several
years, and checking apache
(https://www.apache.org/dev/release-signing.html) sha512 should be
being used.
So either;
1) add support so md5, sha1, sha256 and sha512 are all generated
2) plugin defines which is generated
3) plugin defines a list which are generated
4) settings.xml defines which is generated
5) settings.xml defines a list which are generated?
Thoughts???
Next;
Currently when downloading we have ignore, warn or error if checksum's
don't match. I propose adding a checksum min level options? i.e. allow
MD5 > SHA1, SHA256 > SHA512
So;
1) Default to MD5
2) Wait till all maven plugins deploy a sha512 to central
3) Switch default to SHA512
What are developers thoughts?
What staged steps should this be merged as?
I would like to start helping getting the core maven and all of it's
dependencies more secure so people can start trusting maven is secure
by default as I get the feeling isn't at the moment.
Cheers,
John
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
