On 10 June 2014 16:20, Marvin Humphrey <mar...@rectangular.com> wrote:
> One fundamental problem with compiled deps is that unlike source code, they > cannot be reviewed by a PMC -- so they are potential trojan horses. Maybe > it's possible to address that specific concern by compiling an ASF > whitelist > of individual jar files whose provenance can be guaranteed and whose > identity > is verified via PGP prior to committing? > true, but who does a transitive validation of all mvn/ivy dependencies, validating the checksums from an HTTPS server while pulling them down from a normal HTTP link. Were I to perform a MITM intercept of maven central DNS/GETs at something like apachecon, I'd probably have everyone's password-less ssh keys within 48 hours. Speaking of which 12 days for your apachecon EU submission... -Steve -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
