I don't know Martin, don't you think there is security-conscious and then there is over-doing it a bit? If Jeromy took the jars as I deployed to the staging repo, signed them, then released them to the mirrors, wouldn't that be sufficient? He can check the timestamp of the file and see it was I who created them and that they haven't been modified. Yes, I suppose an uber hacker could have rooted the server and manipulated the timestamps, but if that is the case, we have _much_ bigger problems then a malicious annotations jar that isn't even used in a production Struts 2 app.
Don On Wed, Apr 9, 2008 at 1:15 PM, Jeromy Evans <[EMAIL PROTECTED]> wrote: > Martin Cooper wrote: > > > > > On Tue, Apr 8, 2008 at 6:57 PM, Jeromy Evans < > > [EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > Understood. Can I sign and distribute Don's binaries[1] or *must* they > be > > > signed by the person that built them? > > > > > > > > > > > > I've lost track of why Don can't sign them himself, but I would consider > it > > OK for you to do that if you use the following process: > > > > 1) Have Don e-mail you the binaries or otherwise get them to you in a way > > that they could not be intercepted. (I don't consider you picking them up > > from the URL below to be acceptable because there is a chance, however > slim, > > that those binaries could have been compromised. And yes, I realise that > > e-mail can in fact be intercepted as well, but if you guys coordinate > > time-wise, I think that is an acceptable risk.) > > > > 2) You sign them, and mail the .asc files back to Don. > > > > 3) Don verifies that the .asc files you sent him validate successfully > > against the binaries that he has. > > > > At this point, you (Jeromy) have the appropriate signatures for what Don > > originally built, as well as the binaries, and can take it from there. > > > > > > Thanks Martin, That doesn't take Don out of the loop so it won't alleviate > the issue that he's been too busy to sign and distribute the binaries. > If he's able to validate the .asc against the original binaries he's able > to generate them. It's less effort and risk to wait until Don has time to > complete the task. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
