> There is no good solution here. Really. 

sure - I understand that. All I am trying to think of is something as
secure as your proposal, but less intrusive to the user. Or at least a
decent way to aid them with tools.

Really, I've been in favour of using bouncycastle and PGP for a long
time, so I guess the time has come to finally bite down and implement

> Or team's security person doesnt believe in anything
> other than clean build code, tagged CVS releases, with personal
> signing. 

That's actually not too bad as they publish all that built stuff to
the company repository and don't have to do any of this :)

> The only reason I can get away with coding the maven lib
> support is that he is away right now...


> The best source of keys (both SHA1 and MD5) will be the PGP signed
> announcements of releases. That puts PGP at the base of the trust
> chain. but we cant automated PGP checks without bouncycastle on the
> path.

I realise this is not something that can be OOTB with Ant, but I'm
sure security conscious folks would be happy to add it. For Maven, I
definitely want to go down this path so we can make signing the
release part of the deployment process too.

Anyway, I'll let the list know if I or someone else in the team
finally get to the point of moving on it.

- Brett

Reply via email to