Hello, I have started a POC a while back which can "lock" dependencies by a special checksum file. However it is not really secure as a plugin, as you cannot avoid other plugins overwrite yourself.
It is not finished, it was an execise in some internal maven apis: https://github.com/ecki/lockdep-maven-plugin There is a productive plugin which can generate checksums, but not check them: https://github.com/nicoulaj/checksum-maven-plugin Greetings Bernd BTW: Bintray' jcenter mirrors central and other stuff and offers SSL, of course it adds additional possibilities to inject malicious stuff. And yes, there are PGP files, but not really a good way to verify them. I wish ASF infra would publish a md5sum of their maven2 directory. Am Tue, 29 Jul 2014 22:14:33 +0200 schrieb Hervé BOUTEMY <[email protected]>: > direct control by Maven while downloading dependencies seems ideal, > but I fear it's hard to have normal users aware of keys and manage it > while building their artifacts > > I imagine something useful would be some report too, to display the > status of actual dependencies: imagine adding key reference to every > dependency in dependencies report [1] > > Anybody interested in coding such improvement? > or any other idea? > > Definitely, seems the right moment to improve users awareness about > security: IMHO, people will discover that security isn't automagic > and will require involvement to decide what to trust and what to not > trust, and that trust is a personal choice > > Regards, > > Hervé > > [1] > http://maven.apache.org/plugins/maven-dependency-plugin/dependencies.html > > Le mardi 29 juillet 2014 13:31:30 Brett Porter a écrit : > > On 29 Jul 2014, at 12:14 pm, Mark Derricutt <[email protected]> wrote: > > > Hey all, > > > > > > Just been reading [1] after it was mentioned in both #scala and > > > #clojure on irc.freenode.org now, is there anything that can be > > > done to alleviate some of these issues? > > > > > > oss.sonatype.org now requires everything to be GPG signed before > > > being uploaded to central, but I'm not sure about any of the > > > other means of getting artifacts uploaded. > > > > > > Are there any plugins out there to verify GPG signings of > > > dependencies? > > > > If anyone is interested in picking up work on this, I pulled some > > things together some years ago: > > http://docs.codehaus.org/display/MAVEN/Repository+Security > > > > There was a working prototype against Maven 2, but for various > > reasons didn't get further than that. > > > > - Brett > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
