very useful feedback
creating a separate thread because this will be a useful discussion,
completely independent from the vote
I added PGP signatures verification to this project as an IRL test, to get real
experience on the impact: yes, it makes dependencies upgrade harder because
often, different releases of the same project don't use the same PGP key...
and you're right to ask a more fundamental question: is it useful to check at
build time?
I'll add: is it useful to sign if nobody checks?
I don't have a definitive answer: I just know that currently a Maven build
downloads many binaries, checks fingerprints that prove that there was no data
loss against the origin server. But this does not prove that it has not been
actively tampered by a bad actor.
Then I'm convinced that checking signatures can improve our security, if we
find a stable way to define accepted keys for each project: perhaps the plugin
should support downloading KEYS files from Apache projects? What about other
projects that don't provide such a KEYS file?
FYI, I'm working on sigstore signature, that is proven easier to use to sign:
but on checking signature, everything remains to be defined. Who does signature
checks. When? How? And it is only once we'll have some insights that we'll be
able to see if checking experience is better or not.
Happy to get feedback from everybody
Regards,
Hervé
Le vendredi 29 septembre 2023, 14:36:08 CEST Elliotte Rusty Harold a écrit :
> Not a blocker but I did take a quick look at the dependencies. I
> noticed that maven-shared-utils was out of date, but when I tried to
> update it, it failed on verification of the PGP signature of
> commons-io which was now 2.13.0 instead of 2.11.0. This comes from the
> Verify PGP signatures plugin, which I haven't seen before.
>
> Is this a helpful check? I haven't seen it before, and it definitely
> adds extra work to updating dependencies. If it makes dependencies
> less likely to be kept up to date, that's likely to be a net security
> negative. Is there a string reason to check PGP signatures at build
> time? And if there is, why are we doing this with a fixed map instead
> of looking them up in Maven Central?
>
> On Fri, Sep 29, 2023 at 2:00 AM Hervé Boutemy wrote:
> > Hi,
> >
> > We solved 6 issues:
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322;
> > version=12353118=Text
> >
> > Staging repo:
> > https://repository.apache.org/content/repositories/maven-1992/
> > https://repository.apache.org/content/repositories/maven-1992/org/apache/m
> > aven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-sourc
> > e-release.zip
> >
> > Source release checksum(s):
> > maven-artifact-plugin-3.5.0-source-release.zip sha512:
> > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf557
> > 10f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1%
> >
> > Staging site:
> > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/
> >
> > Guide to testing staged releases:
> > https://maven.apache.org/guides/development/guide-testing-releases.html
> >
> > Vote open for at least 72 hours.
> >
> > [ ] +1
> > [ ] +0
> > [ ] -1
> >
> >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org