Hi Steve,

I'd like to do whatever we can to get better security on this stuff. I
just need to get my head around what JAR signing provides in
comparison to key signing, and what impact it might have on existing
code. I'll read up on it.

Is there a rough timeframe on the next Ant release so we can shoot to
include all of this?

- Brett

On Wed, 12 Jan 2005 21:01:41 +0000, Steve Loughran
<[EMAIL PROTECTED]> wrote:
> Hi,
> 
> I've been reading the security proposal for the maven2 repository @
> http://docs.codehaus.org/display/MAVEN/Maven2+repository
> 
> One thing I'd like to see is *every* JAR signed w/ certs under a
> single CA, say the Maven one. That way, if I go against a public
> maven2 repository for JAR download, I can check that it is signed.
> 
> This does add a side effect to every JAR -and is JAR only- but offers
> the following features
> 
> -integrates w/ the Java security stuff, esp. secure classloaders
> -one GET includes security info
> -security info propagates. With maven and ant support, the
> repositories could soon become the core means of picking up JAR Files.
> Which means that gradually the JAR files everywhere get signed.
> 
> We do need to make it easy to sign stuff.
> 
> If we can make progress on this, we can get the relevant CA info and
> layout logic into the next ant release, so Ant will be set up to
> *only* work with the maven2 layout. That would be nice; less legacy
> problems.
> 
> -steve
>

Reply via email to