jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philippe Mouawad <p.moua...@ubik-ingenierie.com>
Subject Re: Upgrading dependency and trusted-key
Date Sun, 29 Sep 2019 19:50:42 GMT
On Sun, Sep 29, 2019 at 9:43 PM Vladimir Sitnikov <
sitnikov.vladimir@gmail.com> wrote:

> > can you describe the approach we need to follow in such case ?
>
> There are different views on the matter.
>
> There is a view that dependencies should be verified on CI servers only
> (see https://github.com/ben-manes/caffeine/pull/342#issuecomment-536228799
> )
> For instance, we could configure the build in such a way that it validates
> checksums only if it is explicitly configured.
>
> Nevertheless,
> 1) I suggest asking library vendors to publish PGP keys.
>
> I have already created a couple of issues, and I tend to copy-paste the
> same request with slight variations.
>
> See
> https://gitlab.ow2.org/asm/asm/issues/317884
> https://github.com/raphw/byte-buddy/issues/721
>
> https://github.com/spring-projects/spring-framework/issues/23434#issuecomment-523882229
> https://github.com/junit-team/junit5/issues/2020
> https://github.com/hamcrest/JavaHamcrest/issues/274
> https://github.com/jacoco/jacoco/issues/937
> https://github.com/GPars/GPars/issues/62
> https://youtrack.jetbrains.com/issue/KT-33781
>
> and so on.
>
> Some of them are already implemented (e.g. JUnit)
>

caffeine and Rsyntaxarea also did that

>
> 2) Sometimes committers sign their commits/tags, and if you treat GitHub
> as an authoritative source code repository, then it can happen that commit
> signing key matches the release key.
> See https://github.com/dnsjava/dnsjava/releases . The release tag is
> signed with 3449EC3AC2EFE8AA which is the same key you mention.
>

ok

>
> 3) As you said, keybase.io might help to associate different
> logins/domains with PGP key id. Keybase identity claims are
> cryptographically verified, so if Keybase shows "the person owns GitHub
> login and Twitter login", then it means they can indeed post a comment. It
> might happen you know library author by their Twitter handle, however,
> Twitter does not allow to publish "PGP key". Keybase might help to relate
> those ids.
>
>
>
> However, it is not clear how to document the result of those
> investigations.
>
> For instance, JUnit5 has added a link to the KEYS file.
> The link is placed at the official site (search https://junit.org/junit5/ for
> KEYS), and it points to GitHub HTML (!) page.
> Frankly speaking, I would prefer a plain-text URL for KEYS.
> I've no idea where we could / should document the analysis of "here's a
> trace/link for verification of the key in question".
>
> We could create a side file (or a wiki page) to document "dependency --
> website -- keys link"
> I'm open to suggestions here.
>
> You might have seen there's META files initiative, however, it is
> ASF-specific.
>
> Vladimir
>


-- 


[image: logo Ubik Ingenierie] <https://www.ubik-ingenierie.com> Philippe
Mouawad
Senior Performance Expert
320914981 <+33320914981> | p.mouawad@ubik-ingenierie.com
[image: ubik-ingenierie.com] ubik-ingenierie.com
<https://www.ubik-ingenierie.com> | [image: 03.20.91.49.81] 03.20.91.49.81
<+33320914981> | [image: 23 rue du chemin de fer , 59100 , Roubaix] 23 rue
du chemin de fer, 59100, Roubaix
<https://www.openstreetmap.org/#map=18/50.69454/3.16455>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message