Wendy Smoak wrote:
On Wed, Apr 23, 2008 at 12:29 PM, Chad La Joie <[EMAIL PROTECTED]> wrote:
I know about, and use, the plugin for creating PGP signatures of artifacts.
Is there a mechanism to validate the signatures of incoming dependencies?
Not at present. The first thing I'd like to see is a goal added to
the plugin that can check the signature for a single artifact.
Yep, agreed.
Checking signatures as artifacts are proxied is also a good feature
for a repository manager. I know we've talked about it for Archiva.
Also agree.
Do you have an opinion on where the signature file ought to come from?
In our projects (e.g. [1]) I upload the signatures to our repository,
just like the MD5/SHA-1 hashes (which I have a question about but will
send in another email). My understanding was that Maven was checking
these hashes when it pulled down the dependency. Assuming my
understanding is correct, it seemed reasonable that it might check the
signature in the same manner.
I've collected two opinions, one that the signature should only be
downloaded from a trusted source (even if the artifact comes from a
mirror,) and the other that it doesn't matter because you'd use the
web of trust built up by cross-signed keys to determine whether or not
to accept the artifact.
I work on a project where signature validation and trust of the
validating credential are completely separate concerns. So, for me, the
second option seems like the only reasonable approach. I don't think
you can "trust" anything just because of where it comes from.
[1]
http://shibboleth.internet2.edu/downloads/maven2/org/opensaml/xmltooling/1.0.1
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[EMAIL PROTECTED], http://www.switch.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
