Hi, Changing subject line as this has changed to a more general discussion IMO - https://github.com/apache/sling-org-apache-sling-auth-saml2/pull/1 has more specific details.
On Mon, Apr 26, 2021 at 10:16 PM Cris Rockwell <cmroc...@umich.edu> wrote: > ...In theory, all dependencies should be validated. It’s not a crazy idea. > Apache Sling > projects generally don't validate dependency signatures, so where to > begin?.... I agree that in general blindly downloading stuff from the Internet is not a good idea. Validating with pgpverify-maven-plugin (assuming we also validate the plugin itself) can be a good idea but if we do it I think we should generalize it to all modules or at least have a plan to generalize it. People building their own artifacts (which might not be common in the Java world) might get in trouble, so you'd need a way to specify alternate signatures or checksums at build time. Same for temporarily introducing unsigned snapshots to test something, we'd need to document how to do those things. If you want to pursue this I suggest creating an example in our whiteboard initially, so that we can discuss whether we want to generalize that based on a concrete example, without introducing it in just a few modules without a plan. Thanks for researching this! -Bertrand
