On Wed, 2002-10-02 at 04:11, Ben Walding wrote: > Not to imply Scott as anything but a most trusted developer... but how > do you know Scott hasn't gone on holidays and I'm not forging his emails > + jars?! (Obviously if someone can see him in their office, then this > isn't true, but work with me here!)
We have discussed it, but it's similar to my response to Michael yesterday. We just haven't had time. It's not likely that something bad would get into the repository at this point. I know everyone who is an admin and I don't take JARs from just anyone. Most of the time one of us will build them first. Is security a concern. Sure it is, but it's primarily a matter of trust right now. If someone wants to screw everything up for everyone they probably could right now. We'll eventually have an admin app and each and every project involved will have access to repository in some form or shape. I'm thinking something akin to a moderated mailing list. First time you submit something some checking happens, after than you have access. > > As Maven becomes more popular it also becomes a target for crackers and > the like. Would it not be a good idea to consider signing the jar files > to prevent a compromise of ibiblio.org from causing some serious damage > to a lot of projects? Of course. We've thought about this. > It's not unimaginable that trojan code could get into repository (as > witnessed by BSD crack (which was foiled by signing!) of 6 months ago if > I'm remembering correctly). I'd hate to see any clown lawyers try to > argue failure of duty of care against Maven / Jakarta / Apache > (not-with-standing the disclaimer that an end user may not read) > > "Solution" > I.e. > Create a cert for Maven, and then have Maven only accept Maven signed > jars unless options were set (to allow non Maven signers, unsigned jars > etc). Maven would have to be told to trust the CA cert (if it were a > snakeoil one), but that isn't a huge issue. Individual trusted > developers could also be issued with their own certs from this. > > (I haven't been very explicit here as I don't know what resources > jakarta already has along these lines / I haven't truly thought it > through yet) > > In the same vein, perhaps submission of jars should be made more > rigorous as if a bad jar is injected into the signing, no amount of > security after the fact will help. > > > Just some thoughts, > > > Ben > > Jason van Zyl wrote: > > >On Wed, 2002-10-02 at 00:20, Scott Eade wrote: > > > > > >>Can someone please put torque-3.0-b4.jar on ibiblio. > >> > >> > > > >Send me the jar you want me to put up and I will. > > > > > > > >>Thanks, > >> > >>Scott > >>-- > >>Scott Eade > >>Backstage Technologies Pty. Ltd. > >>http://www.backstagetech.com.au > >> > >> > >> > >>-- > >>To unsubscribe, e-mail: ><mailto:[EMAIL PROTECTED]> > >>For additional commands, e-mail: ><mailto:[EMAIL PROTECTED]> > >> > >> > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- jvz. Jason van Zyl [EMAIL PROTECTED] http://tambora.zenplex.org In short, man creates for himself a new religion of a rational and technical order to justify his work and to be justified in it. -- Jacques Ellul, The Technological Society -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
