Hi Steve,

Steve Loughran wrote:

I'm Steve Loughran of the Ant project; Nicolaken said I should get on
this mail list

1. I have just added to Ant CVS_HEAD a task to get libraries from a
repository; built in support is for maven layouts, though others are

This is a great idea.

2. I worry about the security aspects. I dont think it is enough to
verify the MD5 signatures, because they are served up on the same
(http) server.
What should I be doing for verifying remote downloads are the intended
ones, or what changes are planned in the near future that our task
should ready itself for?
Note that the task is focused on JAR/WAR/Ear archives only, so we can
do full jar signature checking if that is felt the best solution. And
we can ship with the public key of an Apache/Maven/Gump CA to verify
signatures. Indeed, the fact that nothing has shipped at all yet (and
wont till 1.7 alpha) means that we have time to get things right here


This subject is going to be dependent on the overall capabilities of Maven itself. I think, as Maven moves forward your going to see more requirements for signatures. I think that in your case, all the Ant task would probably maintain is some "warning" or interactive y/n/a/na concerning the signature being missing or bad. This is because no matter what policies we put in place for the ASF Repository, they are but a subset of possible outcomes in Maven.

Ultimately, users of the task should be using http://www.ibiblio.org/maven an Apache mirror or another local Maven repository as the target for downloading dependencies and not ever the /dist/java-repository on minotaur directly.

In theory. All pgp signatures on files in the repository should have public keys stored somewhere under "KEYS" like other contents of /dist/ but I don't currently think this a well maintained or organized practice in the ASF Repository. It should be better maintained and we've had discussions about improving it.


Mark Diggory
Open Source Software Developer
Apache Jakarta Project

Reply via email to