Hi Ceki, Can you please provide us an update on when can we expect the slf4j (and logback) shipped as signed jars. And also, please consider publishing md5/sha1 checksums on your site. This would help us to push for using slf4j in security-conscious organizations.
Thanks, Elisha Ebenezer On Sat, May 8, 2010 at 8:44 PM, Joern Huxhorn <jhuxh...@googlemail.com>wrote: > Hi Jeff, > > thank you very much for this information and your article! I wasn't aware > of this plugin. > > I just changed my build process for Lilith accordingly. > See > http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f > > I had to jump through some loops, though, since I have gpg2 instead of gpg: > > The following two properties had to be added to my pom: > <gpg.useagent>true</gpg.useagent> > <gpg.keyname>740A1840</gpg.keyname> > > The first one makes sure that gpg isn't complaining about an invalid option > (--no-use-agent was removed in gpg2) and doesn't ask for a passphrase > anymore. > This was quite tricky since the documentation of maven-gpg-plugin says that > it's called useAgent, which it isn't! > > The second one selects the correct key used for the signature - which is a > good idea if you have more than one. > > I wanted to comment on your article but, unfortunately, comments are > disabled. > > Cheers, > Joern. > > On 08.05.2010, at 03:23, Jeff Jensen wrote: > > It is best if the artifacts are signed. Sometime in the near future, > Central/Nexus will not accept artifacts without being signed. > > This would prove the source for you more than the hashes. > > Ceki: you should start signing the release artifacts. It is very easy - > I’ve done it already on a few products and Sonatype has a very good page > describing how. Maven will do it automatically for you: > > http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven > > > > *From:* slf4j-user-boun...@qos.ch [mailto:slf4j-user-boun...@qos.ch] *On > Behalf Of *Joern Huxhorn > *Sent:* Friday, May 07, 2010 3:50 AM > *To:* User list for the slf4j project > *Subject:* Re: [slf4j-user] Signatures for verifying Slf4j > > One solution could be the use of signed tags for SLF4J and Logback. > > That way it would be possible to pull the git repository, check the > signature of the tag and build SLF4J and Logback yourself afterwards. > I think the MD5 and SHA1 of Maven repository are merely a way to prevent > corrupted files, not an actual security feature. > > Cheers, > Joern. > > On 07.05.2010, at 09:26, Elisha Ebenezer wrote: > > > Hi Ceki, > I'm trying to push to use Slf4j and logback in our project and my company > wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify > the integrity of downloaded files. > > Though repo1.maven.org site provides the hashes, we are not sure whether > the war and the hash are uploaded by genuine party or not. > > As you are the owner of the project, I request you to kindly publish the > hashes or certs on website's download page.. which can be cross-checked with > the downloaded war and/or also with the maven repository. > > Kindly do the needful and oblige. > > Thanks, > Elisha Ebenezer. _______________________________________________ > slf4j-user mailing list > slf4j-user@qos.ch > http://qos.ch/mailman/listinfo/slf4j-user > > _______________________________________________ > slf4j-user mailing list > slf4j-user@qos.ch > http://qos.ch/mailman/listinfo/slf4j-user > > > > _______________________________________________ > slf4j-user mailing list > slf4j-user@qos.ch > http://qos.ch/mailman/listinfo/slf4j-user >
_______________________________________________ slf4j-user mailing list slf4j-user@qos.ch http://qos.ch/mailman/listinfo/slf4j-user
