Okay, it doesn't look like this is much interest in this. I'll post a broad overview of my thoughts and see if that kicks off any other discussion and, if not, I'll just let it drop.
So, currently the repository security is a bit of misnomer. Everything to date is implemented in the transport layer and is focused exclusively on checking the integrity of the download. What I'd like to suggest is that instead of trying to push security policies in to the core engine or the transport layer a better approach would be to use the existing lifecycle/phase mechanism and allow people to implement the policies they wanted as plugins. So, for example, there could be a "validate dependencies" phase that occurred after dependencies were pulled in but before their usage. Such plugins could implement GPG checking, checksum checking, license checking, checks to see if jars were signed by a trusted party, checks to see if jars were sealed, etc. Likewise, at the end of the lifecycle, there could be a dedicated phase to perform various security-related actions to the produced artifact (e.g., create GPG signatures, create checksums, sign JARs). This would allow people to implement what they needed without complicating the transport or core engine code nor forcing any particular user to use any particular security policy. It also allows for new policies to be added in the future without having to touch system internals. I think the change to internal code would be that artifacts were no longer treated as "just the jar/war/ear/pom". Instead metadata about the artifact (e.g., its location) and various "attachments" (e.g., checksums and signatures) would also be part of the logical artifact. This also, I think, allows things like source and javadoc "artifacts" to comfortably live inside the framework instead of being a bit of a special case. On 4/2/11 8:34 AM, Chad La Joie wrote: > Quite some time ago I was asking[1] about PGP support in Maven. And in > February Brett noted[2][3] some initial thinking he had done around > increasing certain security aspects of Maven repositories. > > I've come back to this topic again and have been doing some thinking on > it. Is this still a topic people are interested in? Is there a > willingness to make changes to APIs in order to support this kind of work? > > I can write up my current thoughts on the topic if there is some interest. > > [1] http://www.mail-archive.com/[email protected]/msg75604.html > [2] http://www.mail-archive.com/[email protected]/msg87327.html > [3] https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Security -- Chad La Joie http://itumi.biz trusted identities, delivered --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
