www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark R. Diggory" <mdigg...@apache.org>
Subject Re: Ant and repositories
Date Tue, 02 Nov 2004 13:21:07 GMT
Hi Steve,

Steve Loughran wrote:
> Hello,
> I'm Steve Loughran of the Ant project; Nicolaken said I should get on
> this mail list
> 1. I have just added to Ant CVS_HEAD a task to get libraries from a
> repository; built in support is for maven layouts, though others are
> possible.

This is a great idea.

> 2. I worry about the security aspects. I dont think it is enough to
> verify the MD5 signatures, because they are served up on the same
> (http) server.
> What should I be doing for verifying remote downloads are the intended
> ones, or what changes are planned in the near future that our task
> should ready itself for?
> Note that the task is focused on JAR/WAR/Ear archives only, so we can
> do full jar signature checking if that is felt the best solution. And
> we can ship with the public key of an Apache/Maven/Gump CA to verify
> signatures. Indeed, the fact that nothing has shipped at all yet (and
> wont till 1.7 alpha) means that we have time to get things right here
> -Steve

This subject is going to be dependent on the overall capabilities of 
Maven itself. I think, as Maven moves forward your going to see more 
requirements for signatures. I think that in your case, all the Ant task 
would probably maintain is some "warning" or interactive y/n/a/na 
concerning the signature being missing or bad. This is because no matter 
what policies we put in place for the ASF Repository, they are but a 
subset of possible outcomes in Maven.

Ultimately, users of the task should be using 
http://www.ibiblio.org/maven an Apache mirror or another local Maven 
repository as the target for downloading dependencies and not ever the 
/dist/java-repository on minotaur directly.

In theory. All pgp signatures on files in the repository should have 
public keys stored somewhere under "KEYS" like other contents of /dist/ 
but I don't currently think this a well maintained or organized practice 
in the ASF Repository. It should be better maintained and we've had 
discussions about improving it.


Mark Diggory
Open Source Software Developer
Apache Jakarta Project

View raw message