[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292101#comment-15292101
]
Florian Schmaus edited comment on MNG-6026 at 5/19/16 8:40 PM:
---------------------------------------------------------------
> Doesn't it look like a maintenance nightmare putting checksums and
> fingerprints for all artifact?
Not to me. I'd create the checksums and fingerprints with the approach
gradle-witness uses: Simply provide a command which collects the fingerprints
and hash values of the dependencies from well known sources and adds them to
the POM. You can, at any point later, verify that those are in fact correct.
But even if you are lazy and don't do so: The fact that artifacts can't be
replaced by some other (malicious) entity easily later on already increases the
security enormous.
> Even if you do, transitive dependencies won't likely have them
So? Even if only a subset of your dependencies use </verification> then the
attack surface is at least reduced. Furthermore all POMs nowadays have a
detached PGP signature. At least this is true for the ones from Maven Central
as Sonatype enforces them. So this part is already there.
> Hard is <version>[4.0]</version>
Isn't that covered in the "Soft dependencies" section? How is the [4.0] case
different from e.g. [4.0,5.0)?
was (Author: flowdalic):
> Doesn't it look like a maintenance nightmare putting checksums and
> fingerprints for all artifact?
Not to me. I'd create the checksums and fingerprints with the approach
gradle-witness uses: Simply provide a command which collects the fingerprints
and checksums of the dependencies from well known sources and adds them to the
POM. You can, at any point later, verify that those are in fact correct. But
even if you are lazy and don't do so: The fact that artifacts can't be replaced
by some other (malicious) entity easily later on already increases the security
enormous.
> Even if you do, transitive dependencies won't likely have them
So? Even if only a subset of your dependencies use </verification> then the
attack surface is at least reduced. Furthermore all POMs nowadays have a
detached PGP signature. At least this is true for the ones from Maven Central
as Sonatype enforces them. So this part is already there.
> Hard is <version>[4.0]</version>
Isn't that covered in the "Soft dependencies" section? How is the [4.0] case
different from e.g. [4.0,5.0)?
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> -----------------------------------------------------------------------------------
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
> Reporter: Florian Schmaus
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing tihs, but need guidance.
> The origin of this feature request is
> http://stackoverflow.com/a/34795359/194894, and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its dependencies down to the very last
> transitive dependency. The Project Object Model (POM) needs to be extended by
> a <verification/> element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>4.0</version>
> </dependency>
> {code}
> h3. Hard dependencies
> For hard dependencies, <verfication/> could include the sha256sum of artifact
> and its POM file:
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>4.0</version>
> <verification>
> <checksum hash='sha-256'>
> <pom>[sha256 of junit pom file]</pom>
> <artifact>[sha256sum of artifact (junit.jar)]</artifact>
> </checksum>
> </verification>
> </dependency>
> {code}
> h3. Soft dependencies
> If soft or ranged dependencies are used, then we could specify the public key
> (or multiple) of the keypair used to sign the artifacts
> {code:xml}
> <dependency>
> <groupId>junit</groupId>
> <artifactId>junit</artifactId>
> <version>[4.0,4.5)</version>
> <verification>
> <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
> <!-- possible further 'openpgp' elements in case the artifacts in the
> specified version range where signed by multiple keys -->
> </verification>
> </dependency>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
