> On Jan 2, 2016, at 10:27, Toby Crawley <t...@tcrawley.org> wrote: > > On Sat, Jan 2, 2016 at 12:47 AM, Michael Gardner <gardne...@gmail.com> wrote: >> >> I would caution against this approach. An attacker could easily target >> specific organizations, serving compromised artifacts only to particular IP >> ranges. A periodic verification process wouldn't detect this[1], and might >> lend a false sense of security that lulls people into putting off real >> security measures. >> >> [1] Unless run by every organization that uses lein, and even then it still >> might not catch anything if the attackers are clever. >> > > That's a good point. Would you trust this approach more if the mirrors > were all managed by the clojars staff instead of by community members? > You currently trust the clojars staff to not act maliciously, and to > detect an intrusion by a third party against clojars.org.
I would trust it somewhat more. An increase in the number of servers still means an increase in the system's attack surface, but at least there shouldn't be any additional risk from those running the mirrors. Still, my personal opinion (for whatever it's worth) is that ensuring the entire process is always cryptographically secure end-to-end should be a higher priority than establishing mirrors. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
