I personally wouldn't feel comfortable with Maven auto-fetching keys,
unless it's working in a web-of-trust mode. How would I verify that the
keys were any good otherwise? It's pretty likely that any compromise
that allowed some one to place a rogue artifact could also add their key
in to the master key file on the webserver.
Instead I would expect Maven to ship with a keyring that had a couple
keys in it, corresponding to maven developers. When I wanted to pull in
new components signed by different keys I'd have to add those keys
manually after I had verified the key.
Robert Burrell Donkin wrote:
The key should be downloaded from a trusted keyserver or KEYS file
(as specified in settings.xml above), not from the repository that
the artifact is being downloaded from.
this may need more thought. these distribution mechanisms are
typically intended to just distribute keys without gaurantees.
I think getting KEYS (not automatically) from the original web server
should be satisfactory to most users in terms of trustworthiness. It
was poorly worded in that it looked like that might be a transparent
action where it's not though.
I would only trust KEYS for a particular purpose, not generally
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[EMAIL PROTECTED], http://www.switch.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
