Re: repo security

2005-02-04 Thread Niclas Hedhman
On Saturday 05 February 2005 03:42, Henri Yandell wrote: > On Wed, 12 Jan 2005 21:01:41 +, Steve Loughran > > <[EMAIL PROTECTED]> wrote: > > We do need to make it easy to sign stuff. > > I'm new to the list, so I could be missing a lot of context. > > I think the most important thing to do is t

Re: repo security

2005-02-04 Thread Steve Loughran
On Fri, 4 Feb 2005 14:42:54 -0500, Henri Yandell <[EMAIL PROTECTED]> wrote: > On Wed, 12 Jan 2005 21:01:41 +, Steve Loughran > <[EMAIL PROTECTED]> wrote: > > > We do need to make it easy to sign stuff. > > I'm new to the list, so I could be missing a lot of context. > > I think the most impo

Re: repo security

2005-02-04 Thread Henri Yandell
On Wed, 12 Jan 2005 21:01:41 +, Steve Loughran <[EMAIL PROTECTED]> wrote: > We do need to make it easy to sign stuff. I'm new to the list, so I could be missing a lot of context. I think the most important thing to do is to make it easy to check the signature of stuff. I know this will main

Re: repo security

2005-01-13 Thread Brett Porter
IL PROTECTED] > Sent: Thu 1/13/2005 2:01 PM > To: [EMAIL PROTECTED] > Subject: Re: repo security > > > Would we be talking about "gpg --armor --output > > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is > > there some other me

Re: repo security

2005-01-13 Thread Brett Porter
> Would we be talking about "gpg --armor --output > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is > there some other mechanism we would need to go through? This is what I'd intended to do in Wagon using Bouncycastle. And as Steve mentions, it can be at the users discretion:

Re: repo security

2005-01-13 Thread Steve Loughran
On Thu, 13 Jan 2005 10:51:30 -0500, Tim O'Brien <[EMAIL PROTECTED]> wrote: > Steve, > > Would we be talking about "gpg --armor --output > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is > there some other mechanism we would need to go through? It would be essential for java

RE: repo security

2005-01-13 Thread Tim O'Brien
ry 13, 2005 7:20 AM > To: [EMAIL PROTECTED] > Subject: Re: repo security > > On Thu, 13 Jan 2005 10:29:51 +, Steve Loughran > <[EMAIL PROTECTED]> wrote: > > On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter > <[EMAIL PROTECTED]> wrote: > > > Hi Ste

Re: repo security

2005-01-13 Thread Steve Loughran
On Thu, 13 Jan 2005 10:29:51 +, Steve Loughran <[EMAIL PROTECTED]> wrote: > On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > > Hi Steve, > > > > I'd like to do whatever we can to get better security on this stuff. I > > just need to get my head around what JAR signi

Re: repo security

2005-01-13 Thread Steve Loughran
On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote: > Hi Steve, > > I'd like to do whatever we can to get better security on this stuff. I > just need to get my head around what JAR signing provides in > comparison to key signing, and what impact it might have on existing >

RE: repo security

2005-01-12 Thread Noel J. Bergman
> One thing I'd like to see is *every* JAR signed w/ certs under a > single CA, say the Maven one. Well, we have an ASF CA, which I would trust. Talk with Ben Laurie about it. --- Noel

Re: repo security

2005-01-12 Thread Brett Porter
Hi Steve, I'd like to do whatever we can to get better security on this stuff. I just need to get my head around what JAR signing provides in comparison to key signing, and what impact it might have on existing code. I'll read up on it. Is there a rough timeframe on the next Ant release so we can