Warren MacEvoy created MNGSITE-299:
---------------------------------------
Summary: Download security flaw
Key: MNGSITE-299
URL: https://issues.apache.org/jira/browse/MNGSITE-299
Project: Maven Project Web Site
Issue Type: Bug
Environment: any - raspberry pi in particular
Reporter: Warren MacEvoy
A quick search of how to install maven on a raspberry pi reveals the most
effective way is a direct install from a download from your site. I.e:
https://www.xianic.net/post/installing-maven-on-the-raspberry-pi/
I assume many of these users are new developers. However the download link on
your site refers to an INSECURE download,
http://www.mirrorservice.org/sites/ftp.apache.org/maven/maven-3/3.2.5/binaries/apache-maven-3.3.9-bin.tar.gz
followed by the suggestion users should verify the download using md5 (!) or
gpg.
Ignoring the terrible idea of having md5 hashes, about four more steps later
gives the following most unsatisfying gpg result:
gpg --verify apache-maven-3.3.9-bin.tar.gz.asc apache-maven-3.3.9-bin.tar.gz
gpg: Signature made Tue 10 Nov 2015 16:44:20 UTC using DSA key ID BB617866
gpg: Good signature from "Sarel Jason van Zyl <ja...@maven.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866
So
1. The CDN should ONLY ALLOW HTTPS. Maven is a core project and allowing for
simple injection at this level is irresponsible.
2. Providing md5 checksums is irresponsible. How about sha256? This would
allow us to skip all the gpg run-around to vacuous conclusion.
3. If gpg is the preferred route, then uploads should not be allowed that does
not give a more satisfying answer than "there is no indication the signature
belongs to the owner". I think this falls below the md5 sum bar.
Thank you for providing support to this important project.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
