[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
---------------------------------
Summary: Extend the Project Object Model (POM) with trust information
(OpenPGP, checksums) (was: Extend the Project Object Model (POM) with OpenPGP
(RFC 4880) trust information)
> Extend the Project Object Model (POM) with trust information (OpenPGP,
> checksums)
> ---------------------------------------------------------------------------------
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
> Reporter: Florian Schmaus
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing tihs, but need guidance.
> The origin of this feature request is
> http://stackoverflow.com/a/34795359/194894, and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with OpenPGP (RFC 4880) trust
> information
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its dependencies down to the very last
> transitive dependency. The Project Object Model (POM) needs to be extended by
> a <verification/> element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>4.0</version>
> </dependency>
> {code}
> h3. Hard dependencies
> For hard dependencies, <verfication/> could include the sha256sum of artifact
> and its POM file:
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>4.0</version>
> <verification>
> <checksum hash='sha-256'>
> <pom>[sha256 of junit pom file]</pom>
> <artifact>[sha256sum of artifact (junit.jar)]</artifact>
> </checksum>
> </verification>
> </dependency>
> {code}
> h3. Soft dependencies
> If soft or ranged dependencies are used, then we could specify the public key
> (or multiple) of the keypair used to sign the artifacts
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>[4.0,4.5)</version>
> <verification>
> <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
> <!-- possible further 'openpgp' elements in case the artifacts in the
> specified version range where signed by multiple keys -->
> </verification>
> </dependency>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
