[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Description:
The origin of this feature request is the Stackoverflow question ["Verification
of dependency authenticity in Maven POM based automated build
systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft, which are also called "ranged" or "dynamic", dependencies are used,
then we could specify the public key (or multiple) of the keypair used to sign
the artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
was:
The origin of this feature request is the Stackoverflow question ["Verification
of dependency authenticity in Maven POM based automated build
systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft. also called "ranged" or "dynamic", dependencies are used, then we
could specify the public key (or multiple) of the keypair used to sign the
artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: Core
>Reporter: Florian Schmaus
>Priority: Major
> Labels: artifact-verification, security
>
> The origin of this feature request is the Stackoverflow question
> ["Verification of dependency authenticity in Maven POM based automated build
> systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO
> user requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash val
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Description:
The origin of this feature request is the Stackoverflow question ["Verification
of dependency authenticity in Maven POM based automated build
systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft. also called "ranged" or "dynamic", dependencies are used, then we
could specify the public key (or multiple) of the keypair used to sign the
artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
was:
The origin of this feature request is
[http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft. also called "ranged" or "dynamic", dependencies are used, then we
could specify the public key (or multiple) of the keypair used to sign the
artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>Priority: Major
> Labels: artifact-verification, security
>
> The origin of this feature request is the Stackoverflow question
> ["Verification of dependency authenticity in Maven POM based automated build
> systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO
> user requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependenc
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Description:
The origin of this feature request is
[http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft. also called "ranged" or "dynamic", dependencies are used, then we
could specify the public key (or multiple) of the keypair used to sign the
artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
was:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
The origin of this feature request is
[http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft. also called "ranged" or "dynamic", dependencies are used, then we
could specify the public key (or multiple) of the keypair used to sign the
artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>Priority: Major
> Labels: artifact-verification, security
>
> The origin of this feature request is
> [http://stackoverflow.com/a/34795359/194894], and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its dependencies down to the very last
> transitive dependency. The Project Obj
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Description:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
The origin of this feature request is
[http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft. also called "ranged" or "dynamic", dependencies are used, then we
could specify the public key (or multiple) of the keypair used to sign the
artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key used to sign the junit
artifact(s)]
{code}
was:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
The origin of this feature request is
[http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft or ranged dependencies are used, then we could specify the public key
(or multiple) of the keypair used to sign the artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key]
{code}
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>Priority: Major
> Labels: artifact-verification, security
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing this, but need guidance.
> The origin of this feature request is
> [http://stackoverflow.com/a/34795359/194894], and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Labels: artifact-verification security (was: )
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>Priority: Major
> Labels: artifact-verification, security
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing this, but need guidance.
> The origin of this feature request is
> [http://stackoverflow.com/a/34795359/194894], and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its dependencies down to the very last
> transitive dependency. The Project Object Model (POM) needs to be extended by
> a element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
>
> junit
> junit
> 4.0
>
> {code}
> h3. Hard dependencies
> For hard dependencies, could include the sha256sum of artifact
> and its POM file:
> {code:xml}
>
> junit
> junit
> [4.0]
>
>
> [sha256 of junit pom file]
> [sha256sum of artifact (junit.jar)]
>
>
>
> {code}
> h3. Soft dependencies
> If soft or ranged dependencies are used, then we could specify the public key
> (or multiple) of the keypair used to sign the artifacts
> {code:xml}
>
> junit
> junit
> [4.0,4.5)
>
> [secure fingerprint of OpenPGP key]
>
>
>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Description:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing this, but need guidance.
The origin of this feature request is
[http://stackoverflow.com/a/34795359/194894], and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft or ranged dependencies are used, then we could specify the public key
(or multiple) of the keypair used to sign the artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key]
{code}
was:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing tihs, but need guidance.
The origin of this feature request is
http://stackoverflow.com/a/34795359/194894, and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft or ranged dependencies are used, then we could specify the public key
(or multiple) of the keypair used to sign the artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key]
{code}
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>Priority: Major
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing this, but need guidance.
> The origin of this feature request is
> [http://stackoverflow.com/a/34795359/194894], and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g.
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Description:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing tihs, but need guidance.
The origin of this feature request is
http://stackoverflow.com/a/34795359/194894, and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
[4.0]
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft or ranged dependencies are used, then we could specify the public key
(or multiple) of the keypair used to sign the artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key]
{code}
was:
I'm not sure if this is the right place to raise an feature request for the POM
format itself. I've already tried to get in touch with the right people about
this feature request, but failed. I'm willing to help designing and
implementing tihs, but need guidance.
The origin of this feature request is
http://stackoverflow.com/a/34795359/194894, and [especially a SO user
requesting me to put this
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC
4480 and hash values)
What we need is the possibility to model a trust relation from your project or
artifact to the declared dependencies. So that, if all involved parties declare
such a relation, we are able to create a "chain of trust" from the root (e.g.
the project) over its dependencies down to the very last transitive dependency.
The Project Object Model (POM) needs to be extended by a
element for dependencies.
h3. Current Situation
Right now we have something like
{code:xml}
junit
junit
4.0
{code}
h3. Hard dependencies
For hard dependencies, could include the sha256sum of artifact
and its POM file:
{code:xml}
junit
junit
4.0
[sha256 of junit pom file]
[sha256sum of artifact (junit.jar)]
{code}
h3. Soft dependencies
If soft or ranged dependencies are used, then we could specify the public key
(or multiple) of the keypair used to sign the artifacts
{code:xml}
junit
junit
[4.0,4.5)
[secure fingerprint of OpenPGP key]
{code}
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing tihs, but need guidance.
> The origin of this feature request is
> http://stackoverflow.com/a/34795359/194894, and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its depend
[jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
[
https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Schmaus updated MNG-6026:
-
Summary: Extend the Project Object Model (POM) with trust information
(OpenPGP, hash values) (was: Extend the Project Object Model (POM) with trust
information (OpenPGP, checksums))
> Extend the Project Object Model (POM) with trust information (OpenPGP, hash
> values)
> ---
>
> Key: MNG-6026
> URL: https://issues.apache.org/jira/browse/MNG-6026
> Project: Maven
> Issue Type: New Feature
> Components: core
>Reporter: Florian Schmaus
>
> I'm not sure if this is the right place to raise an feature request for the
> POM format itself. I've already tried to get in touch with the right people
> about this feature request, but failed. I'm willing to help designing and
> implementing tihs, but need guidance.
> The origin of this feature request is
> http://stackoverflow.com/a/34795359/194894, and [especially a SO user
> requesting me to put this
> up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP -
> RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project
> or artifact to the declared dependencies. So that, if all involved parties
> declare such a relation, we are able to create a "chain of trust" from the
> root (e.g. the project) over its dependencies down to the very last
> transitive dependency. The Project Object Model (POM) needs to be extended by
> a element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
>
> junit
> junit
> 4.0
>
> {code}
> h3. Hard dependencies
> For hard dependencies, could include the sha256sum of artifact
> and its POM file:
> {code:xml}
>
> junit
> junit
> 4.0
>
>
> [sha256 of junit pom file]
> [sha256sum of artifact (junit.jar)]
>
>
>
> {code}
> h3. Soft dependencies
> If soft or ranged dependencies are used, then we could specify the public key
> (or multiple) of the keypair used to sign the artifacts
> {code:xml}
>
> junit
> junit
> [4.0,4.5)
>
> [secure fingerprint of OpenPGP key]
>
>
>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
