Re: Taking Security Seriously

2016-12-06 Thread Alexander Kjäll
Hi The attack scenario that I'm trying to guard against is the following: Stopping an attacker that manages to exploit the our nexus server from being able to run arbitrary code on all the build servers and developer machines in our organization. best regards Alexander Kjäll On 06. des.

Re: Taking Security Seriously

2016-12-06 Thread Tibor Digana
What real problem is behind your question? Are you running any tool which has a problem with signatures in Nexus or the development process in your company has a problem? The MD5 is not security nothing but verification of deployed artifact is identical binary you have downloaded from Nexus, and

Re: Taking Security Seriously

2016-12-06 Thread Alexander Kjäll
This is a a good idea, and a hash it would serve roughly as good as specifying the key i think, it would maybe even be better since it's easier to generate a hash. It might be wise to plan for the future, as what ever hash algorithm that is considered best practice today will be broken and

Re: Taking Security Seriously

2016-12-05 Thread Martin Gainty
From: Bernd Eckenfels <e...@zusammenkunft.net> Sent: Monday, December 5, 2016 5:10 PM To: Maven Developers List Subject: Re: Taking Security Seriously Having artifact checksums (hashes not signatures) in POM dependency declarations would b

Re: Taking Security Seriously

2016-12-05 Thread Bernd Eckenfels
Having artifact checksums (hashes not signatures) in POM dependency declarations would be cool, but that is not what .md5 or .asc is used for.  Gruss Bernd -- http://bernd.eckenfels.net On Mon, Dec 5, 2016 at 10:45 PM +0100, "Alexander Kjäll" wrote:

Re: Taking Security Seriously

2016-12-05 Thread Alexander Kjäll
Maybe we are talking about different attack scenarios? The vector I would like to protect against is that someone is able to inject false binaries in a caching nexus server (or over the network if https is not used). The way I envision the trust to be established is: The developer goes either

Re: Taking Security Seriously

2016-12-05 Thread Hervé BOUTEMY
I fear the proposed change would not improve security but lower it: if the pom contains the reference to a key "to be used to sign the artifact", anybody wanting to change the content will just change the key reference to a value it owns yes, knowing which keys you should trust to sign which

Re: Taking Security Seriously

2016-12-05 Thread Alexander Kjäll
Regarding verifying the gpg signature, as a contributor to the gpg verify plugin here: http://www.simplify4u.org/pgpverify-maven-plugin/index.html I have some thoughts on why the current infrastructure doesn't really help us to verify the signatures in practice: 1) Very hard to know what

Re: Taking Security Seriously

2016-12-04 Thread Hervé BOUTEMY
AFAIK, checksums are there only to avoid stupid download/upload distorsion. What gives real security is *signature* done by developers, ie .asc files, that use other hash algorithms than these little .md5 and .sha1 files. That's why we recommend to verify *the signature* [1]. Another topic:

Re: Taking Security Seriously

2016-12-04 Thread Anders Hammar
My view is that the artifact checksums deployed have nothing to do with security, but just a way for Maven to verify that the download was ok. It's not verifying that it's the *correct* (valid) artifact that was downloaded. The apache link you're refering to talks about release signatures, not

Taking Security Seriously

2016-12-04 Thread John Patrick
Hiya, So currently checksum's are not generated by default... I've submitted a ticket which switched the install plugin to generate them by default. Next step stop using md5 which most have considered dead for several years, and checking apache (https://www.apache.org/dev/release-signing.html)