Jason van Zyl wrote: > - include a pointer to an md5 file for the bundle inside the bundle and > the location must be a public location on the project's site so > obviously a developer must have access to this site. > > - push the bundle to a machine where the md5 file for the bundle can be > retrieved and verified. > > - if the bundle passes mustard it goes to a directory where it can be > sync'd by the ibiblio folks.
This is nice and simple but how do you prevent Joe from uploading a bundle that claims that it contains Mike's sofware, pointing to a website controled by Joe as the location of the MD5. If we had a policy that groupId == project's website hostname, and looked for the md5 in the location like http://${groupId}/bundles/${bundleName}.md5 the scheme would probably be sufficient (Joe wouldn't be able to mess with Mikes software, unless he broke into his website). Unfortunately we don't have such policy, and it doesn't seem likely that we can introduce it at this point - virtually every POM in existence would have to be alterted. I think only reasonably safe way of doing this is passing <groupId;pkey> pairs to ibiblio over some sort of trusted channel, and signing the bundle md5s. The 'trusted channel' above could be PGP mail - ibibilio should keep the infomation who sent the pkey - this person vouches for artifact integrity. R. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
