[
https://issues.apache.org/jira/browse/MNGSITE-334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Heinz Marbaise moved MNG-6367 to MNGSITE-334:
--------------------------------------------------
Affects Version/s: (was: 3.5.2)
Component/s: (was: Documentation: Guides)
(was: Bootstrap & Build)
(was: Artifacts and Repositories)
Key: MNGSITE-334 (was: MNG-6367)
Project: Maven Project Web Site (was: Maven)
> maven installation insecure
> ---------------------------
>
> Key: MNGSITE-334
> URL: https://issues.apache.org/jira/browse/MNGSITE-334
> Project: Maven Project Web Site
> Issue Type: Bug
> Reporter: Warren MacEvoy
> Priority: Major
>
> The recommended install suggests using an insecure mirror, and then provides
> either an md5 sum (completely insecure, broken a thousand years ago), or a
> gpg signature (99% of installers will give up on following these directions,
> since they provide incomplete instructions on how to actually do it, and it
> is not easy to do).
> Please provide a SHA256 sum with your distribution! Please remove the MD5
> sum which is dangerous (provides a false sense of security). Please provide
> a complete recipe for verifying a signature using GnuPG
> This bug affects all versions. Here is the very unsatisfying result of
> verifying using GPG:
> *gpg --verify $FILE.asc*
> gpg: assuming signed data in `apache-maven-3.5.2-bin.tar.gz'
> gpg: Signature made Wed 18 Oct 2017 01:59:56 AM MDT using DSA key ID B620D787
> gpg: Good signature from "Stephen Connolly <[email protected]>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
