[jira] [Closed] (MNGSITE-299) Download security flaw

Mon, 23 Jan 2017 02:40:43 -0800 

     [ 
https://issues.apache.org/jira/browse/MNGSITE-299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Scholte closed MNGSITE-299.
----------------------------------
    Resolution: Invalid
      Assignee: Robert Scholte

You should ask the writer of the blog to update those links, nothing we can do 
about it.

> Download security flaw
> ----------------------
>
>                 Key: MNGSITE-299
>                 URL: https://issues.apache.org/jira/browse/MNGSITE-299
>             Project: Maven Project Web Site
>          Issue Type: Bug
>         Environment: any - raspberry pi in particular
>            Reporter:  Warren MacEvoy
>            Assignee: Robert Scholte
>
> A quick search of how to install maven on a raspberry pi reveals the most 
> effective way is a direct install from a download from your site.  I.e:
> https://www.xianic.net/post/installing-maven-on-the-raspberry-pi/
> I assume many of these users are new developers.  However the download link 
> on your site refers to an INSECURE download,
> http://www.mirrorservice.org/sites/ftp.apache.org/maven/maven-3/3.2.5/binaries/apache-maven-3.3.9-bin.tar.gz
>  followed by the suggestion users should verify the download using md5 (!) or 
> gpg.
> Ignoring the terrible idea of having md5 hashes,  about four more steps later 
> gives the following most unsatisfying gpg result:
> gpg --verify apache-maven-3.3.9-bin.tar.gz.asc apache-maven-3.3.9-bin.tar.gz
> gpg: Signature made Tue 10 Nov 2015 16:44:20 UTC using DSA key ID BB617866
> gpg: Good signature from "Sarel Jason van Zyl <ja...@maven.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: FB11 D4BB 7B24 4678 337A  AD8B C7BF 26D0 BB61 7866
> So
> 1. The CDN should ONLY ALLOW HTTPS.  Maven is a core project and allowing for 
> simple injection at this level is irresponsible. 
> 2. Providing md5 checksums is irresponsible.  How about sha256?  This would 
> allow us to skip all the gpg run-around to vacuous conclusion.
> 3. If gpg is the preferred route, then uploads should not be allowed that 
> does not give a more satisfying answer than "there is no indication the 
> signature belongs to the owner".  I think this falls below the md5 sum bar.
> Thank you for providing support to this important project.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to