Hiram wrote:
> a source build like Apache ServiceMix depends on hundreds of
> third party dependencies.. so an end user would need to end up
> trusting LOTs different signatures to get ServiceMix to build.
> It would be easier if the end user could just trust the Apache source
> distro and also transitively trust the signatures that we trust for
> our dependencies.
A signature is a signed digest.
One way of addressing your issue would be to allow you to include your own
signatures (signed digests) for your downstream dependencies. If I trust
your package, I will trust your signed digests, and therefore if the decoded
digests match the downstream artifact, that would be deemed OK in this
scenario.
This would mean having to recheck artifacts for each dependent project,
since I cannot trust dependent D for project B just because I trusted it for
project A. Project A might have been released specifically in order to have
me accept a trojan dependency.
This is off-the-cuff, and definitely subject to amendment if not outright
retraction if/when Henning et al shoot holes in it. :-)
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
