We are now looking at a timescale of lateish summer for Ant1.7, and
the <libraries> task will ship, with a fair amount of todo items
associated with it : http://wiki.apache.org/ant/Ant17_2fPlanning
<jarssigned> policy to verify that jars are signed (for private repostories)
<md5verify> verify .md5 files
<apachesigned> to use whatever our apache signed policy is going to be
+offline handling with a -offline flag and related things.
Now is the time to do any restructuring of the repository layout,
better mirroring, better security, before many more people start
relying on the existing stuff.
What if we add an XML file of security info next to each artifact,
this file contains different security signatures all in one place
<security>
<signatory>
<name>apache</name>
<publiccert>....</publiccert>
<signings>
<signing>
<name>md5</name>
<date>2005-04-12</data>
<data>05ff3b3a1</data> //MD5 checksum
<signature> ... </signature> //MD5 date+date as signed by the pki
</signing>
<signing>
<name>GPG</name>
....
</signing>
</signings>
</signatory>
</security>
So we can have multiple, different signings by the same public-key
defined entity, we use signed datestamps to indicate that the files
were signed when the certs were valid (i.e. it is not an error to
verify something against an expired cert. as long as the cert was
valid at signing time)., new key mechanisms/certs can be added later
without adding new files to the system, and one get of
artifact.security is enough to return *all* the security information.
Java stuff could be signed with signed MD5 and/or SHA1; using a keygen
generated certificate that we (apache) indicate is valid (by way of
GPG sigs), and include in the Ant/Maven distros. GPG security could be
included too, but wouldnt be used for out the box validation as it
aint built into the Java runtime.
Native code can be signed with GPG inline.
What do people think?
<md5signature>44ff34...</md5sig
</signing>
</signatory>
</signing>
