I have been talking with the bouncy castle people; they make some good
suggestions. One problem with even including the public cert of Apache
in the ant and maven distros, is that you have to make sure that that
distro isnt subverted first.

I have also been having longer discussions with a colleague who
manages security on our (GPL) deployment framework.

1. MD5 is less secure than SHA1. Despite the press that SHA1 has been
getting, MD5 collisions can be used to generate evil-twin x509 certs,
among other things:


2. what about using an SHA1 signature of an archive as its key for
retrieval. So instead of saying

<library project="org.apache.axis"  artifact="axis" version="1.2-RC3" />

mapping to org/apache/axis/axis-1.2-RC3.jar

you have

<library project="org.apache.axis"  artifact="axis" 
    hash="04f3d5aab0" />

mapping to org/apache/axis/axis-04f3d5aab0.jar

The advantage here is that by using the # as the version, the build
file contains a declaration of what hash is expected, so its easy to
verify the version. Nobody can subvert the artifact without changing
the # value, and when that happens the filename changes or the name
and hash diverge, something that is trivially obvious to any
verification routing.

The disadvantages
 -no obvious 'latest version' in the repository
 -harder to field support calls, "what is the hash of your artifacts"?

But maybe version and hash would work. 

I think the .NET Global Assembly Cache works a bit like this, but am not sure.

Reply via email to