maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Schmaus (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
Date Sun, 01 Apr 2018 10:20:00 GMT

     [ https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Schmaus updated MNG-6026:
---------------------------------
    Description: 
I'm not sure if this is the right place to raise an feature request for the POM format itself.
I've already tried to get in touch with the right people about this feature request, but failed.
I'm willing to help designing and implementing this, but need guidance.

The origin of this feature request is [http://stackoverflow.com/a/34795359/194894], and [especially
a SO user requesting me to put this up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC 4480 and hash
values)

What we need is the possibility to model a trust relation from your project or artifact to
the declared dependencies. So that, if all involved parties declare such a relation, we are
able to create a "chain of trust" from the root (e.g. the project) over its dependencies down
to the very last transitive dependency. The Project Object Model (POM) needs to be extended
by a <verification/> element for dependencies.
h3. Current Situation

Right now we have something like
{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
</dependency>
{code}
h3. Hard dependencies

For hard dependencies, <verfication/> could include the sha256sum of artifact and its
POM file:
{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0]</version>
  <verification>
    <checksum hash='sha-256'>
      <pom>[sha256 of junit pom file]</pom>
      <artifact>[sha256sum of artifact (junit.jar)]</artifact>
    </checksum>
  </verification>
</dependency>
{code}
h3. Soft dependencies

If soft or ranged dependencies are used, then we could specify the public key (or multiple)
of the keypair used to sign the artifacts
{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0,4.5)</version>
  <verification>
    <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
    <!-- possible further 'openpgp' elements in case the artifacts in the
         specified version range where signed by multiple keys -->
  </verification>
</dependency>
{code}

  was:
I'm not sure if this is the right place to raise an feature request for the POM format itself.
I've already tried to get in touch with the right people about this feature request, but failed.
I'm willing to help designing and implementing tihs, but need guidance.

The origin of this feature request is http://stackoverflow.com/a/34795359/194894, and [especially
a SO user requesting me to put this up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].

h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC 4480 and hash
values)

What we need is the possibility to model a trust relation from your project or artifact to
the declared dependencies. So that, if all involved parties declare such a relation, we are
able to create a "chain of trust" from the root (e.g. the project) over its dependencies down
to the very last transitive dependency. The Project Object Model (POM) needs to be extended
by a <verification/> element for dependencies.

h3. Current Situation

Right now we have something like

{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
</dependency>
{code}

h3. Hard dependencies

For hard dependencies, <verfication/> could include the sha256sum of artifact and its
POM file:

{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0]</version>
  <verification>
    <checksum hash='sha-256'>
      <pom>[sha256 of junit pom file]</pom>
      <artifact>[sha256sum of artifact (junit.jar)]</artifact>
    </checksum>
  </verification>
</dependency>
{code}

h3. Soft dependencies

If soft or ranged dependencies are used, then we could specify the public key (or multiple)
of the keypair used to sign the artifacts

{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0,4.5)</version>
  <verification>
    <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
    <!-- possible further 'openpgp' elements in case the artifacts in the
         specified version range where signed by multiple keys -->
  </verification>
</dependency>
{code}


> Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
> -----------------------------------------------------------------------------------
>
>                 Key: MNG-6026
>                 URL: https://issues.apache.org/jira/browse/MNG-6026
>             Project: Maven
>          Issue Type: New Feature
>          Components: core
>            Reporter: Florian Schmaus
>            Priority: Major
>
> I'm not sure if this is the right place to raise an feature request for the POM format
itself. I've already tried to get in touch with the right people about this feature request,
but failed. I'm willing to help designing and implementing this, but need guidance.
> The origin of this feature request is [http://stackoverflow.com/a/34795359/194894], and
[especially a SO user requesting me to put this up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC 4480
and hash values)
> What we need is the possibility to model a trust relation from your project or artifact
to the declared dependencies. So that, if all involved parties declare such a relation, we
are able to create a "chain of trust" from the root (e.g. the project) over its dependencies
down to the very last transitive dependency. The Project Object Model (POM) needs to be extended
by a <verification/> element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>4.0</version>
> </dependency>
> {code}
> h3. Hard dependencies
> For hard dependencies, <verfication/> could include the sha256sum of artifact and
its POM file:
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>[4.0]</version>
>   <verification>
>     <checksum hash='sha-256'>
>       <pom>[sha256 of junit pom file]</pom>
>       <artifact>[sha256sum of artifact (junit.jar)]</artifact>
>     </checksum>
>   </verification>
> </dependency>
> {code}
> h3. Soft dependencies
> If soft or ranged dependencies are used, then we could specify the public key (or multiple)
of the keypair used to sign the artifacts
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>[4.0,4.5)</version>
>   <verification>
>     <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
>     <!-- possible further 'openpgp' elements in case the artifacts in the
>          specified version range where signed by multiple keys -->
>   </verification>
> </dependency>
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message