On 3-Oct-08, at 12:31 PM, Noel J. Bergman wrote:

Jason van Zyl wrote:

Noel J. Bergman wrote:
We don't need for you to implement any "policy" other than the
requirement for users to approve authorized signing keys.  You
simply need to  implement artifact signing and mandatory
authorization, which is why I've moved this to the thread Brett
started for purposes of discussing signing.

You are not the Incubator PMC

And where did I imply otherwise??

and what the Incubator says they require is far from clear. Disclaimers,
notices, PGP keys. No one  knows what anyone wants here. No one
can follow these discussions.

That's rather over the top.

We're talking years here Noel. Point at anything that succinctly states the policy. Doesn't exist. I think if you asked anyone right now they would have no idea what the result is. We had a majority vote, someone on the board said that's the way we should go, some agree, some don't, then you step in and say that's not the way it is because Greg said that's the way it is. It's not meant to be over the top, just a statement of fact.

The disclaimer and notice requirements are well
documented and have been for a long time. The PGP key situation is under discussion, likely to be resolved by the Infrastructure Team, and will be an
ASF-wide issue.  The Incubator relationship is that the same mandatory
requirement for security that needs to be imposed on Maven can also address the long-standing requirement that users be aware of and accepting that they
are using Incubator artifacts.

You won't be imposing anything on Maven and what we do with central or what security measures we do, or do not implement. Policy here is, of course, of the IPMC. Turn on/off repositories as you see fit. It's got nothing to do with the way Maven users access the central repository. If you don't want to participate directly making artifacts available then don't.

We're not fighting you, and technically we've made it easier for folks to check if there are signatures but lots of projects don't and that's not Maven's problem, it's not Ivy's problem, it's not BuildR's problem.



Oleg, who is responsible for implementing Mercury which has
full PGP support, has this functionality working on all branches of
Maven but the option to use it will be in the hands of the user. As
the quality and tools for supporting PGP get better, and more people
use them we will again take a look at the default behavior.

Did you not see what just happened to Redhat with respect to
Fedora?  They take artifact security seriously.  For a long time,
it has appeared that Maven does not, but I am hopeful now that
mandatory authorization will appear, so that I and others will not
have to increase lobbying efforts to have the Maven repository
closed, at least with respect to ASF projects.

How are you going to stop people from [creating their own artifacts and
repositories] Noel when its their right?

We don't have to. We can simply mandate that every ASF project sign their
artifacts and charge the Maven PMC with enforcing it.

The first part is already mandated, or I certainly thought it was. The second part of that is not going to happen.



And perhaps now you start to gain a glimer of the depth of the problem
created by Maven's irresponsible, unconscionable, lackadaisical, attitude
towards security, despite other repository exemplars (e.g., linux
distributions), having had security in place for years. Yes, it may be a bit painful to make the change. On the other hand, imagine the fun when someone puts a nice bit of malware into the security-free zone known as the Maven repository. Not only do I agree with Henning's assessment, I think
that network administrators should block the Maven repository at their
firewalls.

Tell them that. See what they do.



        --- Noel



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Thanks,

Jason

----------------------------------------------------------
Jason van Zyl
Founder,  Apache Maven
jason at sonatype dot com
----------------------------------------------------------

We all have problems. How we deal with them is a measure of our worth.

 -- Unknown


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to