I've checked in my work so far on this. It's a pretty small and
straightforward set of changes and it works for a project using signed
artifacts and plugins. Of course, it gets very unhappy about the
distinct lack of signatures in central on most projects.
I am going to look at creating a second repository on central that
contains only signatures. I'll copy across the ones that already
exist, and generate them using the shared "I trust the old repository"
key. I'll have it mod_rewrite anything that isn't a detached signature
to the old repo, so you can use the alternate URL as an "alternate",
signed, central repo. It won't take up much space (which I'll verify)
and I'll not be evolving the signatures at this time as it's just a
prototype.
Any comments?
Cheers,
Brett
On 12/07/2008, at 2:42 AM, Brett Porter wrote:
Hi,
I've wanted to pick up my work on this for some time and was prodded
by the [EMAIL PROTECTED] threads to take another crack at this.
http://docs.codehaus.org/display/MAVEN/Repository+Security (the
issue and related branches are linked)
I've created a couple of branches to try integrating the work again
in as simple and non-intrusive manner (both in code and to the user)
as possible. I already have commons-openpgp in the sandbox from some
time ago to deal with processing the signatures (it doesn't have any
external dependencies other than bouncy castle), so I'll integrate
that.
If anyone else wants to offer feedback or dive in, you're more than
welcome!
Cheers,
Brett
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
