On Tue, 8 Jun 2004, Jason van Zyl wrote: > > On Tue, 2004-06-08 at 22:59, Julian C. Dunn wrote: > > > > > I must admit that I share their concern; I'm curious to know whether the > > > security implications of this have been discussed at all. > > > > Many times, we have use cases, and the upload process will become more > > rigourous over time. We've also had a couple more complete proposals > > submitted: one by Nat Pryce and one by John Casey > > For reference: > > http://docs.codehaus.org/display/MAVEN/Repository+-+Security > > http://docs.codehaus.org/display/MAVEN/Repository+-+Security+by+nat+pryce
Those articles pretty much reflect my (and my sysadmins') concerns, thank you. > Some may consider it negligence but I considered convenience to be the > overriding concern. I realize security is an issue, but I feel it's > become a bit a boogey man. Anything is possible and maybe there is some > really, really bored guy with nothing better to do then muck up the > works for everyone but I'm really hoping that doesn't happen. But in m2 > we will have options for the paranoid and the upload process will be > easier and more secure. Well, we all "hope" that nobody mucks up the repository, but that only gets you so far -- all you have to do is to ask the Debian or FSF maintainers whose sites got cracked how far "hope" gets you. I would rather that the Maven community take proactive steps to rectify this, rather than getting egg on our collective faces when the repo does get mangled, either by accident or on purpose. I'll give you an example of a case where even "accidental" repo mangling has caused us grief: commons-configuration. The JAR that is up there on ibiblio labelled 1.0-dev doesn't contain the same code as the current one (also labelled 1.0-dev) which you can download off the Jakarta site. I had a developer run across this just today: when he ran his code against what he thought was the "correct" 1.0-dev JAR but was in fact the old one from ibiblio, the code blew up, predictably. In my mind, the correct approach as suggested by Casey, Pryce et al. is to store the MD5 or SHA1 checksums offline, i.e. not in the same place the JARs themselves, and then to to transfer those securely. This is basically the approach used by the FreeBSD ports system or NetBSD pkgsrc. The actual transfer of the JARs need not be secure as long as the checksums are trustworthy. - Julian -- Julian C. Dunn <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Software Developer, CBC.ca Production & Operations Office: 2C310-I * Tel.: (416)-205-5592 PGP Key: 0xDA6A5B30 [7DCD A0C3 8B6F 6A76 F4CD 9F9B F941 A1B2 DA6A 5B30] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
