On Fri, Oct 3, 2008 at 5:31 PM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > Jason van Zyl wrote: > >> Noel J. Bergman wrote:
<snip> >> > Did you not see what just happened to Redhat with respect to >> > Fedora? They take artifact security seriously. For a long time, >> > it has appeared that Maven does not, but I am hopeful now that >> > mandatory authorization will appear, so that I and others will not >> > have to increase lobbying efforts to have the Maven repository >> > closed, at least with respect to ASF projects. > >> How are you going to stop people from [creating their own artifacts and > repositories] Noel when its their right? > > We don't have to. We can simply mandate that every ASF project sign their > artifacts and charge the Maven PMC with enforcing it. sounds very reasonsable > And perhaps now you start to gain a glimer of the depth of the problem > created by Maven's irresponsible, unconscionable, lackadaisical, attitude > towards security, despite other repository exemplars (e.g., linux > distributions), having had security in place for years. that's probably a little strong many distros have only really addressed this in the last year or so, and even then their solutions are far from perfect IMO a combination of approaches is require to deliver good defense in depth combining auditing, automatic signing, publication and wide dissemination of results together with signatures by release managers. this is also something that may well be best solved in a common forum. it would be very useful to reach out to other organisations such as fedora, debian, eclipse, java.net etc which have similiar problems. - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
