On 6/3/08, Gilles Scokart <[EMAIL PROTECTED]> wrote: > I thought this thread started with the idea : if maven would be able > to validate signature, we could use this feature to inform someone > that he is using incubator artefacts. > I thought the idea that launched this thread was to have a unique key > for the incubator that the user has as to trust if he want to use > incubator artefacts.
Stated like that then the artifact would need to be encrypted > My question was in that context. AIUI maven decided against enforcing download verification. So requires the maven team developing this feature first. Robert > > 2008/6/2 Noel J. Bergman <[EMAIL PROTECTED]>: >> Gilles Scokart wrote: >> >>> Noel J. Bergman: >>> > Implement that, and we're fine. We will >>> > require Incubator artifacts to be signed by a designated key available >> to >>> > the PMC, and once a user has acknowledged that they accept such >> Incubator >>> > signed artifacts, maven can do what it wants with them. >>> >>> --- Noel >> >>> Is that really possible? >> >> Very. >> >>> I remember some discussion on the infra list about an ASF wide signature. >>> And the conclusion was always the same: how to secure a key that can be >>> used by so many people. If I remember well, some solution were proposed, >>> but they were quiet heavy. Do we have a solution for that? >> >> There are various things that can be done with respect to key management. >> Personally, I would not go with a single key. But maven ought to maintain >> a >> trust file, with options to accept files that are signed with a trusted >> key, >> or signed by a key that is signed by a trusted key, etc. The first thing >> that has to happen is for the Maven PMC to make security a priority. >> >> --- Noel >> > > -- > Gilles Scokart > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
