On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of signature validation is a significant flaw which
I also hope maven addresses even more promptly, and which they are aware
of. The alternatives are to take down maven until it is secure, or to
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of signature validation is a significant flaw which
I also hope maven addresses even more promptly, and which they are aware
of.
On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
Thus:
If the central maven repository maintainers (Maven PMC) decide to put
incubator artifacts into their repository without a click through this
is incubator code disclaimer, we'd have no legal reason to say no.
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
thinking-about/voted-on/discussing? basically overriding the current
un-written policy of the incubator? Please let us know.
thanks,
dims
On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp [EMAIL
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
thinking-about/voted-on/discussing? basically overriding the current
un-written policy of the incubator? Please let us know.
point taken.
-- dims
On Thu, Sep 18, 2008 at 1:26 PM, Daniel Kulp [EMAIL PROTECTED] wrote:
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of signature validation is a significant flaw which
I also hope maven
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source distros
can rest assured that the dependencies that they are using are the
On Thu, Sep 18, 2008 at 10:26 AM, Daniel Kulp [EMAIL PROTECTED] wrote:
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
but they cannot require third parties to not sync it into their
repos. -- Is this something Maven PMC is
thinking-about/voted-on/discussing? basically
Hi,
On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Not if there is a man in the middle attack. If you didn't notice the
recent noise w.r.t. DNS pollution, that's the very point of that vector.
Had it been exploited, tens of thousands of download users could
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Similarly, the issue of
On 18/09/2008, Jukka Zitting [EMAIL PROTECTED] wrote:
Hi,
On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Not if there is a man in the middle attack. If you didn't notice the
recent noise w.r.t. DNS pollution, that's the very point of that vector.
Had
Hi,
On Thu, Sep 18, 2008 at 9:08 PM, sebb [EMAIL PROTECTED] wrote:
The checksums are _not_ downloaded from the Maven repository.
So where are they stored?
For example in our svn or signed source release packages. Along with
the source code.
BR,
Jukka Zitting
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source
Right.. It's part of the source distro or SVN.
On Thu, Sep 18, 2008 at 3:10 PM, Jukka Zitting [EMAIL PROTECTED] wrote:
Hi,
On Thu, Sep 18, 2008 at 9:08 PM, sebb [EMAIL PROTECTED] wrote:
The checksums are _not_ downloaded from the Maven repository.
So where are they stored?
For example in
On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 10:59 AM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
that uses them.
-Original Message-
From: Davanum Srinivas [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2008 1:31 PM
To: general@incubator.apache.org
Subject: Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra
release distribution channels like the central Maven
Hiram, I wish you would desist already from debating positions that you
can't defend...
Hiram Chirino wrote:
On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
So the responsibility is still on us, the upstream distributor, to
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are
Trust me I'm not trying to be difficult..
On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram, I wish you would desist already from debating positions that you
can't defend...
Hiram Chirino wrote:
On Thu, Sep 18, 2008 at 3:07 PM, sebb [EMAIL PROTECTED]
On Thu, Sep 18, 2008 at 4:57 PM, sebb [EMAIL PROTECTED] wrote:
On 18/09/2008, Hiram Chirino [EMAIL PROTECTED] wrote:
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
Hiram Chirino wrote:
Agreed. I never argued against this. But I fail to see the point?
Are you saying initial trust is hard to secure? I totally agree on
that point. You have any solutions?
Yes. You sign your package locally, never on the remote system. The ASF
hardware must never have
Hi,
On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Since the hash is not security, it's not terribly important, eh?
Hashes are a perfect tool for verifying message integrity. They won't
prove origin like signatures do, but verifiable integrity is hardly
*not*
On Wed, Sep 17, 2008 at 6:14 AM, Noel J. Bergman [EMAIL PROTECTED] wrote:
I don't know of anybody who goes to actual users and tell
them here you go, unzip that stuff there, set your
JAVA_HOME and your MAVEN_HOME properly, execute 'mvn install'
and once all test cases pass you're golden.
LOL
I voted +1, but I personally think the vote is kind of irrelevant.
FACT: The stuff in the incubator repo are Apache releases. They had the 3
binding +1 votes from the incubator IPMC members. They are releases.
FACT: The stuff in the incubator repo is all Apache Licensed artifacts.
On Wed, Sep 17, 2008 at 2:17 AM, Bertrand Delacretaz [EMAIL PROTECTED]
wrote:
On Wed, Sep 17, 2008 at 6:14 AM, Noel J. Bergman [EMAIL PROTECTED] wrote:
I don't know of anybody who goes to actual users and tell
them here you go, unzip that stuff there, set your
JAVA_HOME and your
Matthieu Riou wrote:
Exactly - that's when actual users are software developers, which is
the case for many of our projects.
Precisely. And those should be aware of disclaimers if those serve any
purpose.
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the
Dan,
It is a policy matter, not a legal one. And enforcing artifact signing
would address this and other crucial, fatal, flaws in Maven's repository
management.
I still maintain that unless Maven makes swift strides to enforce signing,
the ASF should ban the use of the Maven repository for all
Hi Noel,
If the problem your trying to solve with artifact signing is detect
and reject malicious artifacts that have been deployed to hacked
repository, then there is a simpler fix that is available today. Just
use the checksum plugin that I described here:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly aware of
and
agree to use of Incubator artifacts.
Maven doesn't *hide* anything, it simply makes requests via http. You
can use your browser to pull stuff from
Ah! i was just waiting for this response :)
I don't see any patches yet to help out
-- dims
On Wed, Sep 17, 2008 at 2:36 PM, Brian E. Fox [EMAIL PROTECTED] wrote:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly
On Wed, Sep 17, 2008 at 1:19 PM, Noel J. Bergman [EMAIL PROTECTED] wrote:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly aware of and
agree to use of Incubator artifacts.
We I think this could easily be fixed
Just to clarify things, the artefact published on the apache maven
repository are signed (well, to be exact, most are signed. See [1]
for the current status)
However, maven doesn't [yet] validate the signature when downloading
the artefacts (ivy neither). See [2]
[1]
On Wed, Sep 17, 2008 at 11:36 AM, Brian E. Fox [EMAIL PROTECTED]wrote:
Maven is *too* transparent in what it does: it hides the disclaimer,
preventing the POLICY of ensuring that users are explicitly aware of
and
agree to use of Incubator artifacts.
Maven doesn't *hide* anything, it simply
On Wed, 2008-09-17 at 06:57 -0400, Daniel Kulp wrote:
I voted +1, but I personally think the vote is kind of irrelevant.
[...]
Thus:
If the central maven repository maintainers (Maven PMC) decide to put
incubator artifacts into their repository without a click through this is
On Wed, 2008-09-17 at 13:19 -0400, Noel J. Bergman wrote:
I still maintain that unless Maven makes swift strides to enforce signing,
the ASF should ban the use of the Maven repository for all ASF projects, and
go so far as to remove all of our artifacts.
sorry, but that is ridiculous. That
Henning Schmiedehausen wrote:
On Wed, 2008-09-17 at 06:57 -0400, Daniel Kulp wrote:
I voted +1, but I personally think the vote is kind of irrelevant.
Thus:
If the central maven repository maintainers (Maven PMC) decide to put
incubator artifacts into their repository without a click
Bill,
Since you are stating facts. Let's make it clear that when someone
download the artifacts, there's a good chance that you will see the
disclaimers. With maven, we don't. That's the hiccup that caused the
policy in place right now and the bruising battle now being fought is
caused by the
true. these are the reasons i voted the way i did. basically throwing
up my hands saying nothing much we can do other than just continue
pissing off our users...I am sure the numerous maven pmc members here
are taking note, but are probably waiting for patches :)
-- dims
On Wed, Sep 17, 2008 at
On Wed, 2008-09-17 at 20:14 -0500, William A. Rowe, Jr. wrote:
Henning Schmiedehausen wrote:
On Wed, 2008-09-17 at 06:57 -0400, Daniel Kulp wrote:
I voted +1, but I personally think the vote is kind of irrelevant.
Thus:
If the central maven repository maintainers (Maven PMC) decide
I don't know of anybody who goes to actual users and tell
them here you go, unzip that stuff there, set your
JAVA_HOME and your MAVEN_HOME properly, execute 'mvn install'
and once all test cases pass you're golden.
LOL Pretty much word for word:
$ cd PLUTO_SRCHOME
$ mvn install
$ mvn
41 matches
Mail list logo