On Wed, 2002-10-02 at 10:11, Ben Walding wrote: > Not to imply Scott as anything but a most trusted developer... but how > do you know Scott hasn't gone on holidays and I'm not forging his emails > + jars?! (Obviously if someone can see him in their office, then this > isn't true, but work with me here!) > > > As Maven becomes more popular it also becomes a target for crackers and > the like. Would it not be a good idea to consider signing the jar files > to prevent a compromise of ibiblio.org from causing some serious damage > to a lot of projects? This could be a solution integrated with the checksum checking as I mentioned earlier to avoid corrupt .jars, too.> > It's not unimaginable that trojan code could get into repository (as > witnessed by BSD crack (which was foiled by signing!) of 6 months ago if > I'm remembering correctly). I'd hate to see any clown lawyers try to > argue failure of duty of care against Maven / Jakarta / Apache > (not-with-standing the disclaimer that an end user may not read) > > "Solution" > I.e. > Create a cert for Maven, and then have Maven only accept Maven signed > jars unless options were set (to allow non Maven signers, unsigned jars > etc). Maven would have to be told to trust the CA cert (if it were a > snakeoil one), but that isn't a huge issue. Individual trusted > developers could also be issued with their own certs from this. > > (I haven't been very explicit here as I don't know what resources > jakarta already has along these lines / I haven't truly thought it > through yet) > > In the same vein, perhaps submission of jars should be made more > rigorous as if a bad jar is injected into the signing, no amount of > security after the fact will help. > > > Just some thoughts, > > > Ben > > Jason van Zyl wrote: > > >On Wed, 2002-10-02 at 00:20, Scott Eade wrote: > > > > > >>Can someone please put torque-3.0-b4.jar on ibiblio. > >> > >> > > > >Send me the jar you want me to put up and I will. > > > > > > > >>Thanks, > >> > >>Scott > >>-- > >>Scott Eade > >>Backstage Technologies Pty. Ltd. > >>http://www.backstagetech.com.au > >> > >> > >> > >>-- > >>To unsubscribe, e-mail: ><mailto:[EMAIL PROTECTED]> > >>For additional commands, e-mail: ><mailto:[EMAIL PROTECTED]> > >> > >> > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
_____________________________________________________ Gratis e-mail resten av livet p� www.yahoo.se/mail Busenkelt! -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
