Gilles Scokart wrote:
2008/9/15 William A. Rowe, Jr. <[EMAIL PROTECTED]>:
Brett Porter wrote:
For the releases to be identified as from the incubator, they'll need to
be
signed solely by "the incubator". Did you want to elaborate on how you
anticipated that set up working?
With PGP it's a web of trust. Any ASF-role key would never be used to sign
any artifact. Ideally, ASF-key would sign incubator key, incubator key
would sign Jane's key, Jane would RM and sign with her own key, and the web
of trust satisfies the trust requirement.
That would requires a complete isolated web of trust for the incubator
release. If the incubating web of trust is trusted by someone that I
trust, then I would trust the incubating artefact without realising
that this artefact comes from the incubator.
I thought the objectif was to force the user to agree that he
understandd he is using an incubating artefact.
That's not the point of a signature. Signature verification is a mechanism
to validate the origin of the package. Not it's integrity vs. a checksum,
but that the package (and checksum) had not been altered in the repository
at the origin server, during transit (e.g. a man-in-the-middle attack) nor
locally.
If you (as an author) are satisfied that any 1.x.x release will satisfy
your dependency on package foo, even if you generate checksums on all
of 1.0.0 through current rev 1.1.12, that doesn't help you when foo then
ships package 1.2.0, effectively rendering maven worthless.
Signatures exist for a reason, they don't require pre-knowledge of some
package that does not yet exist, and serve to authenticate the packages
origin. That's why .rpm and other distribution models all rely on them.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
