On 30/09/15 14:31, Ian wrote: > On Wed, Sep 30, 2015 at 6:48 AM, Matthew Toseland <[email protected] >> wrote: >> >> Checking a signature or at least a checksum is basic due diligence for >> security-related software. It's not supported reliably by Maven, >> apparently for business reasons. > > I haven't looked at it in-depth, but Gradle has something that appears to > be signing support: > > https://docs.gradle.org/current/userguide/signing_plugin.html > > Without a thorough audit of dependencies' source code, and their > dependencies source code, and so on, not to mention maybe even the JRE's > source code, all of this concern for digital signatures on binaries is > security theatre IMHO. "The perfect is the enemy of the good". A concept you should be familiar with, it applies to security as well as to other aspects of engineering. Not being able to achieve perfection is not an excuse for giving up on the reasonable steps we CAN take.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
