> since anything downloaded comes over https and is already signature
> checked
Transport security is something completely different and does not ensure
you get the "right" artifact just that is was not tampered in between.
> How does this signature check prevent someone from doing something bad?
I think the best thing (even though not relasitic probably) would be to
ask the user if they trust a key (e.g. one from apache one from eclipse,
one from ...) that is the used to trust "project keys".
That way you can't accidentally pull in things via a dependency chain,
and even if you are using a mirror (e.g. nexus) you can always trace
back to the originator.
Am 01.10.23 um 14:48 schrieb Elliotte Rusty Harold:
1. I suspect dependabot doesn't work with this. Does it? Is this worth
giving up dependabot for?
2. What's the threat model? As best I can make out, someone would have
to compromise the dependencies in the local .m2/repo since anything
downloaded comes over https and is already signature checked.
3. Suppose someone does succeed in compromising this. What's the
impact? I suppose if someone changed junit.jar (for one example) they
could make maven test exfiltrate local data or run a crypto miner. but
I don't think we should be in the business of protecting against local
compromises.
How does this signature check prevent someone from doing something bad?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
