Trust me I'm not trying to be difficult.. On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > Hiram, I wish you would desist already from debating positions that you > can't defend... > > Hiram Chirino wrote: >> >> On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTECTED]> wrote: >>> >>> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: >>>> >>>> So the responsibility is still on us, the upstream distributor, to >>>> verify the the checksums we list in our source distro are correct. >>> >>> And how do we do that? >>> We cannot use the Maven repo as it has already been compromised. >> >> If you are a totally paranoid, you would build all the dependencies >> your self and use those checksums. :) Since that's not practical, >> you have to trust that an artifact on a maven repo has not been >> hacked.. or even validate it has not been hacked (perhaps the project >> provides a separate website with the checksums of the artifacts). > > www.apache.org has been breached at least once in it's history. Over the > course of the next 100 years, it will likely happen once again. You have > two ASF machines and two maven machines in the matrix, the DNS and www > servers of both ASF and the maven host. That's four vectors already. > I'm not even going into other upstream hosts. >
Agreed. I never argued against this. But I fail to see the point? Are you saying initial trust is hard to secure? I totally agree on that point. You have any solutions? > If it were cracked again, MD5 signatures would not be trusted, and all of > those resources would be wiped if there were no gpg keys available to > validate the packages. Are you saying even the source code/svn would be wiped? If that's the case we would have a real tragedy on our hands. I hope we kept good backups. > > At least, you design for this scenario and pray that doesn't happen. > > Hiram Chirino wrote: >> >> Yes, but that kind of attack would only affect me if It's the first >> time I'm creating a dependency to that artifact. Further more, other >> existing users of the artifact would detect the artifact replacement, >> and act to get the problem corrected. I consider the checksum >> solution very similar to how SSH work in asking you to verify your >> initial connection to a host. It's not 100% secure, but in practical >> use, it's in the high 90s. :) > > Using SHA-384 and higher? Or MD5? MD5 can be cracked resulting in a > same sized object. It's configurable.. We can default to whatever algorithm you think is the most secure for the foreseeable future. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
