Re: verifying signatures, PGP or ... (was Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0)
> since anything downloaded comes over https and is already signature > checked Transport security is something completely different and does not ensure you get the "right" artifact just that is was not tampered in between. > How does this signature check prevent someone from doing something bad? I think the best thing (even though not relasitic probably) would be to ask the user if they trust a key (e.g. one from apache one from eclipse, one from ...) that is the used to trust "project keys". That way you can't accidentally pull in things via a dependency chain, and even if you are using a mirror (e.g. nexus) you can always trace back to the originator. Am 01.10.23 um 14:48 schrieb Elliotte Rusty Harold: 1. I suspect dependabot doesn't work with this. Does it? Is this worth giving up dependabot for? 2. What's the threat model? As best I can make out, someone would have to compromise the dependencies in the local .m2/repo since anything downloaded comes over https and is already signature checked. 3. Suppose someone does succeed in compromising this. What's the impact? I suppose if someone changed junit.jar (for one example) they could make maven test exfiltrate local data or run a crypto miner. but I don't think we should be in the business of protecting against local compromises. How does this signature check prevent someone from doing something bad? - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
[RESULT] [VOTE] Release Apache Maven Artifact Plugin version 3.5.0
Hi, The vote has passed with the following result: +1 : Sylwester Lachiewicz, Tamás Cservenák, Michael Osipov, Hervé Boutemy PMC quorum reached I will promote the source release zip file to Apache distribution area and the artifacts to the central repo. - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Fwd: Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0
was intended to the list :) -- Message transmis -- Objet : Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0 Date : samedi 30 septembre 2023, 18:45:51 CEST De : Michael Osipov À : Hervé Boutemy Am 2023-09-29 um 08:00 schrieb Hervé Boutemy: > Hi, > > We solved 6 issues: > https://issues.apache.org/jira/secure/ReleaseNote.jspa? projectId=12324322&version=12353118&styleName=Text > > Staging repo: > https://repository.apache.org/content/repositories/maven-1992/ > https://repository.apache.org/content/repositories/maven-1992/org/apache/ maven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source- release.zip > > Source release checksum(s): > maven-artifact-plugin-3.5.0-source-release.zip sha512: 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > Staging site: > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > Guide to testing staged releases: > https://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open for at least 72 hours. +1 - - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: verifying signatures, PGP or ... (was Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0)
1. I suspect dependabot doesn't work with this. Does it? Is this worth giving up dependabot for? 2. What's the threat model? As best I can make out, someone would have to compromise the dependencies in the local .m2/repo since anything downloaded comes over https and is already signature checked. 3. Suppose someone does succeed in compromising this. What's the impact? I suppose if someone changed junit.jar (for one example) they could make maven test exfiltrate local data or run a crypto miner. but I don't think we should be in the business of protecting against local compromises. How does this signature check prevent someone from doing something bad? -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0
+1 sob., 30 wrz 2023, 20:08 użytkownik Hervé Boutemy napisał: > +1 > > Reproducible Builds ok: reference build done on *nix with JDK 11 > > Regards, > > Hervé > > Le vendredi 29 septembre 2023, 08:00:39 CEST Hervé Boutemy a écrit : > > Hi, > > > > We solved 6 issues: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&ve > > rsion=12353118&styleName=Text > > > > Staging repo: > > https://repository.apache.org/content/repositories/maven-1992/ > > > https://repository.apache.org/content/repositories/maven-1992/org/apache/mav > > > en/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-re > > lease.zip > > > > Source release checksum(s): > > maven-artifact-plugin-3.5.0-source-release.zip sha512: > > > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710 > > f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > > > Staging site: > > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > > > Guide to testing staged releases: > > https://maven.apache.org/guides/development/guide-testing-releases.html > > > > Vote open for at least 72 hours. > > > > [ ] +1 > > [ ] +0 > > [ ] -1 > > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0
+1 On Fri, Sep 29, 2023 at 8:00 AM Hervé Boutemy wrote: > Hi, > > We solved 6 issues: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&version=12353118&styleName=Text > > Staging repo: > https://repository.apache.org/content/repositories/maven-1992/ > > https://repository.apache.org/content/repositories/maven-1992/org/apache/maven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-release.zip > > Source release checksum(s): > maven-artifact-plugin-3.5.0-source-release.zip sha512: > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > Staging site: > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > Guide to testing staged releases: > https://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open for at least 72 hours. > > [ ] +1 > [ ] +0 > [ ] -1 > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0
+1 Reproducible Builds ok: reference build done on *nix with JDK 11 Regards, Hervé Le vendredi 29 septembre 2023, 08:00:39 CEST Hervé Boutemy a écrit : > Hi, > > We solved 6 issues: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&ve > rsion=12353118&styleName=Text > > Staging repo: > https://repository.apache.org/content/repositories/maven-1992/ > https://repository.apache.org/content/repositories/maven-1992/org/apache/mav > en/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-re > lease.zip > > Source release checksum(s): > maven-artifact-plugin-3.5.0-source-release.zip sha512: > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710 > f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > Staging site: > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > Guide to testing staged releases: > https://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open for at least 72 hours. > > [ ] +1 > [ ] +0 > [ ] -1 > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
verifying signatures, PGP or ... (was Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0)
very useful feedback creating a separate thread because this will be a useful discussion, completely independent from the vote I added PGP signatures verification to this project as an IRL test, to get real experience on the impact: yes, it makes dependencies upgrade harder because often, different releases of the same project don't use the same PGP key... and you're right to ask a more fundamental question: is it useful to check at build time? I'll add: is it useful to sign if nobody checks? I don't have a definitive answer: I just know that currently a Maven build downloads many binaries, checks fingerprints that prove that there was no data loss against the origin server. But this does not prove that it has not been actively tampered by a bad actor. Then I'm convinced that checking signatures can improve our security, if we find a stable way to define accepted keys for each project: perhaps the plugin should support downloading KEYS files from Apache projects? What about other projects that don't provide such a KEYS file? FYI, I'm working on sigstore signature, that is proven easier to use to sign: but on checking signature, everything remains to be defined. Who does signature checks. When? How? And it is only once we'll have some insights that we'll be able to see if checking experience is better or not. Happy to get feedback from everybody Regards, Hervé Le vendredi 29 septembre 2023, 14:36:08 CEST Elliotte Rusty Harold a écrit : > Not a blocker but I did take a quick look at the dependencies. I > noticed that maven-shared-utils was out of date, but when I tried to > update it, it failed on verification of the PGP signature of > commons-io which was now 2.13.0 instead of 2.11.0. This comes from the > Verify PGP signatures plugin, which I haven't seen before. > > Is this a helpful check? I haven't seen it before, and it definitely > adds extra work to updating dependencies. If it makes dependencies > less likely to be kept up to date, that's likely to be a net security > negative. Is there a string reason to check PGP signatures at build > time? And if there is, why are we doing this with a fixed map instead > of looking them up in Maven Central? > > On Fri, Sep 29, 2023 at 2:00 AM Hervé Boutemy wrote: > > Hi, > > > > We solved 6 issues: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&; > > version=12353118&styleName=Text > > > > Staging repo: > > https://repository.apache.org/content/repositories/maven-1992/ > > https://repository.apache.org/content/repositories/maven-1992/org/apache/m > > aven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-sourc > > e-release.zip > > > > Source release checksum(s): > > maven-artifact-plugin-3.5.0-source-release.zip sha512: > > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf557 > > 10f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > > > Staging site: > > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > > > Guide to testing staged releases: > > https://maven.apache.org/guides/development/guide-testing-releases.html > > > > Vote open for at least 72 hours. > > > > [ ] +1 > > [ ] +0 > > [ ] -1 > > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: [VOTE] Release Apache Maven Artifact Plugin version 3.5.0
Not a blocker but I did take a quick look at the dependencies. I noticed that maven-shared-utils was out of date, but when I tried to update it, it failed on verification of the PGP signature of commons-io which was now 2.13.0 instead of 2.11.0. This comes from the Verify PGP signatures plugin, which I haven't seen before. Is this a helpful check? I haven't seen it before, and it definitely adds extra work to updating dependencies. If it makes dependencies less likely to be kept up to date, that's likely to be a net security negative. Is there a string reason to check PGP signatures at build time? And if there is, why are we doing this with a fixed map instead of looking them up in Maven Central? On Fri, Sep 29, 2023 at 2:00 AM Hervé Boutemy wrote: > > Hi, > > We solved 6 issues: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&version=12353118&styleName=Text > > Staging repo: > https://repository.apache.org/content/repositories/maven-1992/ > https://repository.apache.org/content/repositories/maven-1992/org/apache/maven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-release.zip > > Source release checksum(s): > maven-artifact-plugin-3.5.0-source-release.zip sha512: > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > Staging site: > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > Guide to testing staged releases: > https://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open for at least 72 hours. > > [ ] +1 > [ ] +0 > [ ] -1 > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
[VOTE] Release Apache Maven Artifact Plugin version 3.5.0
Hi, We solved 6 issues: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&version=12353118&styleName=Text Staging repo: https://repository.apache.org/content/repositories/maven-1992/ https://repository.apache.org/content/repositories/maven-1992/org/apache/maven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-release.zip Source release checksum(s): maven-artifact-plugin-3.5.0-source-release.zip sha512: 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% Staging site: https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ Guide to testing staged releases: https://maven.apache.org/guides/development/guide-testing-releases.html Vote open for at least 72 hours. [ ] +1 [ ] +0 [ ] -1 - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org