On Wed, Sep 30, 2015 at 8:34 AM, Matthew Toseland <[email protected] > wrote:
> On 30/09/15 14:31, Ian wrote: > >> Checking a signature or at least a checksum is basic due diligence for > >> security-related software. It's not supported reliably by Maven, > >> apparently for business reasons. > > > > I haven't looked at it in-depth, but Gradle has something that appears to > > be signing support: > > > > https://docs.gradle.org/current/userguide/signing_plugin.html > > > > Without a thorough audit of dependencies' source code, and their > > dependencies source code, and so on, not to mention maybe even the JRE's > > source code, all of this concern for digital signatures on binaries is > > security theatre IMHO > > "The perfect is the enemy of the good". A concept you should be familiar > with, it applies to security as well as to other aspects of engineering. > Not being able to achieve perfection is not an excuse for giving up on > the reasonable steps we CAN take. > I'm not opposed to using signing if we can do it without keeping the project stuck in 2001's development tools - because that will pretty-much guarantee its slow death. Ian. _______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
