On 6-Oct-08, at 10:21 AM, Noel J. Bergman wrote:
Niclas Hedhman wrote:
Being in the camp "I hate Maven too"
I hate Maven's lack of authentication, the potential for widespread
damage,
and am immensely frustrated by their *years* of willfully negligent
handling
thereof.
I would like to swap Noel's statement around and ask; Why doesn't
security concerned individuals participate in the Maven effort?
Lead by example and not by bashing...
They have received constructive input for years. They continue to
do so.
Jason's comments appear to echo the old-school negligence that I'd
hoped the
Maven PMC was at long last starting to be cured of.
Noel, your comments are completely out of whack with reality. You are
asking Maven to enforce something that no one does. Pretty much almost
no one.
Downloads from our own servers:
57.47% archive.apache.org
40.72% www.apache.org
... almost all are zip's and [.tar].gz's (see extensions report)
92.72% .zip [Zip archives]
2.10% .gz [Gzip compressed files]
2.05% .tar.gz [Compressed archives]
< 0.1% .asc (not even listed)
Almost no one is validating PGP signatures. It's not that we couldn't
in the past, we just had to choose to implement features that
delivered what our users wanted. Checking PGP signatures is obviously
not something the vast majority of people do. So pointing your finger
at us and calling it negligence is not even remotely correct. The same
goes the checksums which people also don't check but Maven does this
automatically so we are, in fact, providing a greater degree of
security to the average user. By default as a big warning message
appears and you can optionally fail builds if the checksum fails.
After having a discussion with Henk about the nature of PGP usage and
checksums I share his sentiments which he has allowed me to quote:
-- In the past I have maintained that the most important reason to
sign stuff is to protect the /ASF/ (as opposed to downloaders).
People trust the ASF to detect malware (trojans etc) and react
upon detection. For downloaders, a simple md5 check should be
sufficient. The ASF should be as cautious/suspicious as the
most cautious/suspicious downloader imaginable. Are we ?
-- Another reason: one day some computer science class is going
to compare various open-software centers (like the ASF) on
how well such centers protect themselves against malware.
The ASF should be examplary. Are we ?
When Mercury is integrated into Maven and people can optionally fail
builds on failed PGP sig validation Maven will again provide a greater
degree of security given that the practice of validating sigs is
pretty much non-existent.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
Our achievements speak for themselves. What we have to keep track
of are our failures, discouragements and doubts. We tend to forget
the past difficulties, the many false starts, and the painful
groping. We see our past achievements as the end result of a
clean forward thrust, and our present difficulties as
signs of decline and decay.
-- Eric Hoffer, Reflections on the Human Condition
