[jira] [Created] (MNG-6026) Extend the Project Object Model (POM) with OpenPGP (RFC 4880) trust information

Thu, 19 May 2016 10:56:31 -0700 

Florian Schmaus created MNG-6026:
------------------------------------

             Summary: Extend the Project Object Model (POM) with OpenPGP (RFC 
4880) trust information
                 Key: MNG-6026
                 URL: https://issues.apache.org/jira/browse/MNG-6026
             Project: Maven
          Issue Type: New Feature
          Components: core
            Reporter: Florian Schmaus


I'm not sure if this is the right place to raise an feature request for the POM 
format itself. I've already tried to get in touch with the right people about 
this feature request, but failed. I'm willing to help designing and 
implementing tihs, but need guidance.

The origin of this feature request is 
http://stackoverflow.com/a/34795359/194894, and [especially a SO user 
requesting me to put this 
up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].

h2. Extend the Project Object Model (POM) with OpenPGP (RFC 4880) trust 
information

What we need is the possibility to model a trust relation from your project or 
artifact to the declared dependencies. So that, if all involved parties declare 
such a relation, we are able to create a "chain of trust" from the root (e.g. 
the project) over its dependencies down to the very last transitive dependency. 
The Project Object Model (POM) needs to be extended by a <verification/> 
element for dependencies.

h3. Current Situation

Right now we have something like

{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
</dependency>
{code}

h3. Hard dependencies

For hard dependencies, <verfication/> could include the sha256sum of artifact 
and its POM file:

{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
  <verification>
    <checksum hash='sha-256'>
      <pom>[sha256 of junit pom file]</pom>
      <artifact>[sha256sum of artifact (junit.jar)]</artifact>
    </checksum>
  </verification>
</dependency>
{code}

h3. Soft dependencies

If soft or ranged dependencies are used, then we could specify the public key 
(or multiple) of the keypair used to sign the artifacts

{code:xml}
<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0,4.5)</version>
  <verification>
    <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
    <!-- possible further 'openpgp' elements in case the artifacts in the
         specified version range where signed by multiple keys -->
  </verification>
</dependency>
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to