www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <steve.lough...@gmail.com>
Subject Re: security, hashing.
Date Tue, 15 Mar 2005 21:20:28 GMT
On Tue, 15 Mar 2005 09:51:54 -0500, Mark Diggory <mdiggory@gmail.com> wrote:
> Russell Gold wrote:
> >On Thu, 10 Mar 2005 20:11:20 +0000, Steve Loughran
> ><steve.loughran@gmail.com> wrote:
> >
> >
> >>The disadvantages
> >> -no obvious 'latest version' in the repository
> >> -harder to field support calls, "what is the hash of your artifacts"?
> >>
> >>
> >
> >Not to mention, really complicating the job of upgrading to new versions.
> >
> >Is there a danger here of solving the 1% case at the expense of the 99% case?
> >
> >
> >
> axis-0.0.1-04f3d5aab0.jar
> then you have the version and the hash... Think of the hash as similar "alpha", "beta"
or "rcN" identifiers (isn't it really? Your just identifying this particular "packaging" of
> But then again, this starts to get into the arena of Jar Signing, and there already is
facility for that in Jar Artifacts...

The trouble with signed jars is the side effect. sign a jar and it
becomes implicitly sealed: you cannot load new classes into populated
packages. For example, if Ant signed its jars, org.apache.tools.ant,
org.apache.tools.ant.taskdefs.optional and the like would only be
allowed to contain JARs which came from Ant. If any one is signed: all
the rest are locked out.

This is , IMO, complete antithesis to open source dev -there is no
point giving you the source if you can't use it.

What I am thinking of for a short term solution that works with the
existing repository is allow people to put the SHA1 digest in the
build file when loading a library

<library project="junit" version="3.8.1" sha1="3fc00lbabe456" />

This puts the checksum declaration into the build file, giving whoever
writes the file control. This will work with the existing system; I
just build the SHA1 checksum and compare it with what the user asked
for. The project/artifact/version info is all that is used for
retrieval though.

View raw message