On Sun, Sep 29, 2019 at 9:43 PM Vladimir Sitnikov < [email protected]> wrote:
> > can you describe the approach we need to follow in such case ? > > There are different views on the matter. > > There is a view that dependencies should be verified on CI servers only > (see https://github.com/ben-manes/caffeine/pull/342#issuecomment-536228799 > ) > For instance, we could configure the build in such a way that it validates > checksums only if it is explicitly configured. > > Nevertheless, > 1) I suggest asking library vendors to publish PGP keys. > > I have already created a couple of issues, and I tend to copy-paste the > same request with slight variations. > > See > https://gitlab.ow2.org/asm/asm/issues/317884 > https://github.com/raphw/byte-buddy/issues/721 > > https://github.com/spring-projects/spring-framework/issues/23434#issuecomment-523882229 > https://github.com/junit-team/junit5/issues/2020 > https://github.com/hamcrest/JavaHamcrest/issues/274 > https://github.com/jacoco/jacoco/issues/937 > https://github.com/GPars/GPars/issues/62 > https://youtrack.jetbrains.com/issue/KT-33781 > > and so on. > > Some of them are already implemented (e.g. JUnit) > caffeine and Rsyntaxarea also did that > > 2) Sometimes committers sign their commits/tags, and if you treat GitHub > as an authoritative source code repository, then it can happen that commit > signing key matches the release key. > See https://github.com/dnsjava/dnsjava/releases . The release tag is > signed with 3449EC3AC2EFE8AA which is the same key you mention. > ok > > 3) As you said, keybase.io might help to associate different > logins/domains with PGP key id. Keybase identity claims are > cryptographically verified, so if Keybase shows "the person owns GitHub > login and Twitter login", then it means they can indeed post a comment. It > might happen you know library author by their Twitter handle, however, > Twitter does not allow to publish "PGP key". Keybase might help to relate > those ids. > > > > However, it is not clear how to document the result of those > investigations. > > For instance, JUnit5 has added a link to the KEYS file. > The link is placed at the official site (search https://junit.org/junit5/ for > KEYS), and it points to GitHub HTML (!) page. > Frankly speaking, I would prefer a plain-text URL for KEYS. > I've no idea where we could / should document the analysis of "here's a > trace/link for verification of the key in question". > > We could create a side file (or a wiki page) to document "dependency -- > website -- keys link" > I'm open to suggestions here. > > You might have seen there's META files initiative, however, it is > ASF-specific. > > Vladimir > -- [image: logo Ubik Ingenierie] <https://www.ubik-ingenierie.com> Philippe Mouawad Senior Performance Expert 320914981 <+33320914981> | [email protected] [image: ubik-ingenierie.com] ubik-ingenierie.com <https://www.ubik-ingenierie.com> | [image: 03.20.91.49.81] 03.20.91.49.81 <+33320914981> | [image: 23 rue du chemin de fer , 59100 , Roubaix] 23 rue du chemin de fer, 59100, Roubaix <https://www.openstreetmap.org/#map=18/50.69454/3.16455>
