On 3-Oct-08, at 12:31 PM, Noel J. Bergman wrote:
Jason van Zyl wrote:
Noel J. Bergman wrote:
We don't need for you to implement any "policy" other than the
requirement for users to approve authorized signing keys. You
simply need to implement artifact signing and mandatory
authorization, which is why I've moved this to the thread Brett
started for purposes of discussing signing.
You are not the Incubator PMC
And where did I imply otherwise??
and what the Incubator says they require is far from clear.
Disclaimers,
notices, PGP keys. No one knows what anyone wants here. No one
can follow these discussions.
That's rather over the top.
We're talking years here Noel. Point at anything that succinctly
states the policy. Doesn't exist. I think if you asked anyone right
now they would have no idea what the result is. We had a majority
vote, someone on the board said that's the way we should go, some
agree, some don't, then you step in and say that's not the way it is
because Greg said that's the way it is. It's not meant to be over the
top, just a statement of fact.
The disclaimer and notice requirements are well
documented and have been for a long time. The PGP key situation is
under
discussion, likely to be resolved by the Infrastructure Team, and
will be an
ASF-wide issue. The Incubator relationship is that the same mandatory
requirement for security that needs to be imposed on Maven can also
address
the long-standing requirement that users be aware of and accepting
that they
are using Incubator artifacts.
You won't be imposing anything on Maven and what we do with central or
what security measures we do, or do not implement. Policy here is, of
course, of the IPMC. Turn on/off repositories as you see fit. It's got
nothing to do with the way Maven users access the central repository.
If you don't want to participate directly making artifacts available
then don't.
We're not fighting you, and technically we've made it easier for folks
to check if there are signatures but lots of projects don't and that's
not Maven's problem, it's not Ivy's problem, it's not BuildR's problem.
Oleg, who is responsible for implementing Mercury which has
full PGP support, has this functionality working on all branches of
Maven but the option to use it will be in the hands of the user. As
the quality and tools for supporting PGP get better, and more people
use them we will again take a look at the default behavior.
Did you not see what just happened to Redhat with respect to
Fedora? They take artifact security seriously. For a long time,
it has appeared that Maven does not, but I am hopeful now that
mandatory authorization will appear, so that I and others will not
have to increase lobbying efforts to have the Maven repository
closed, at least with respect to ASF projects.
How are you going to stop people from [creating their own artifacts
and
repositories] Noel when its their right?
We don't have to. We can simply mandate that every ASF project sign
their
artifacts and charge the Maven PMC with enforcing it.
The first part is already mandated, or I certainly thought it was. The
second part of that is not going to happen.
And perhaps now you start to gain a glimer of the depth of the problem
created by Maven's irresponsible, unconscionable, lackadaisical,
attitude
towards security, despite other repository exemplars (e.g., linux
distributions), having had security in place for years. Yes, it may
be a
bit painful to make the change. On the other hand, imagine the fun
when
someone puts a nice bit of malware into the security-free zone known
as the
Maven repository. Not only do I agree with Henning's assessment, I
think
that network administrators should block the Maven repository at their
firewalls.
Tell them that. See what they do.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
We all have problems. How we deal with them is a measure of our worth.
-- Unknown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]