On Friday, March 23, 2012 10:21:20 PM UTC+1, greddin wrote: > > On Fri, Mar 23, 2012 at 3:09 PM, Sander Mak wrote: > > What do you guys do in practice to prevent this? Does anyone have > real-life > > experience with such an attack? > > I think you raise some really good questions here, some that I've > thought about before, but skipped over because "I don't have time to > think about those things" :-) > Right, that sounds all too familiar :)
> This is where organizations like the Apache Software Foundation are > helpful. Apache frowns upon projects that don't make releases every so > often, so you're likely to have a somewhat recent release of an apache > product. It's up to you and your dependent software projects to ensure > you're using the later releases. > Right, but that does not necessarily solve the distribution/verification problem. Another company I've run in to that can help curating OSS is BlackDuck (http://www.blackducksoftware.com/management-of-open-source), however I've yet to see it in practice anywhere. > As an aside, do you know if Artifactory contains the PGP checking > > feature that Nexus does? We've been using the open-source version of > Nexus and are in the process of switching to the pro version of > Artifactory. > I'm not sure, but a cursory glance through Google did not turn up any supporting evidence... Regards, Sander -- Twitter: @Sander_Mak Blog: http://branchandbound.net -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/Qg-U-jSk5f4J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
