For anyone interested in this discussion, I also posted a follow-up on how to actually verify Maven dependencies http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/ The situation is pretty dire as you can see: none of the Maven based build tools integrate this verification into their workflow, so it's all manual (or use the commercial Nexus Pro repo manager).
On Friday, March 23, 2012 9:09:02 PM UTC+1, Sander Mak wrote: > > We often joke about 'Maven downloading the internet', but how often are we > concerned about what is actually downloaded? I've written some thoughts ( > http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/) > > on cross-build injection attacks, where malicious code could be injected > into a build. > > What do you guys do in practice to prevent this? Does anyone have > real-life experience with such an attack? > > Regards, > > Sander > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/ufKWjuaeHmIJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
