jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: PGP-based dependency verification
Date Tue, 03 Sep 2019 17:15:06 GMT

Am 03.09.19 um 12:02 schrieb Vladimir Sitnikov:
> Hi,
>
> What do you think of https://github.com/apache/jmeter/pull/488 ?


I think it is a nice idea, but isn't it a bit different in semantics to
the current checksum based validation?

At the moment we check for the exact version of the binary, while with
pgp based validation we would check for an exact version released by the
owner of the key.

Do you think this is a problem? On the other hand I trust that mechanism
all the time for my ubuntu distro and it would be the same for windows,
BSD and all the others, right?

Felix

>
> It enables to use PGP for artifact verification, so it would simplify
> dependency updates without loosing too much.
>
> For instance, recent Jackson and Apache Tika updates could have been served
> by
> <trusted-key id='c9fbaa83a8753994' group='com.fasterxml.jackson.core' />
> and
> <trusted-key id='4a51a45b944ffd51' group='org.apache.tika' />
>
> Vladimir
>

Mime
View raw message