On Wed, Sep 24, 2008 at 1:20 AM, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote: > On Mon, 2008-09-22 at 09:34 -0400, Hiram Chirino wrote: >> The only reason I suggested including the sigs in the source distro is >> because a source build like Apache ServiceMix depends on hundreds of >> third party dependencies.. so an end user would need to end up > > Yes. Now you are getting closer. > >> trusting LOTs different signatures to get ServiceMix to build. > > Right. You already have to do that today. Only you don't do it. And you > do trust Maven not to pull any compromised artifact as a four-levels > removed dependency. IAW, you are already in that hell, only Maven hides > it from you. > >> It would be easier if the end user could just trust the Apache source >> distro and also transitively trust the signatures that we trust for >> our dependencies. > > And that does not work. What is the "Apache source distro"? And whom do > you trust? Consider the following case (if you look really, really > close, you might find similarities to existing projects): > > The "Apache Foo" project has a stable release for a long time. This > release was signed by a developer well connected to the Apache web of > trust and so it was possible to somewhat verify that this distribution > is genuine. The project went from stable to dormant. After two years, a > new crop of committers was voted in and started to work on that project > again. They decided to release a new and improved version, ran through > all the Apache release process and the developer finall doing the > release used his new, shiny and nice "[EMAIL PROTECTED] (Code Signing Key)" > key to sign this release. However, as he never has visited an Apache > Keysigning event yet and is BTW living in Juneau, Alaska, his key is not > at all connected to the Apache web of trust. But this new version > contains a number of bug fixes that the dependees have waited for a long > long time. So they eagerly changed their Maven poms." >
I fail to see how this is a maven problem. Even if the build was ant based, won't we have the same problem? How do downstream users start trusting new Apache Foo releases? Even if you were using Ant or Make, wouldn't the problem be identical if came from a maven repo or if it was downloaded right from the Apache website? How do we verify a non-maven source distro today with 100% assurance it's not tampered with? -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
