What is the point of maven's OpenPGP signatures if anyone can create and upload any keys? -


sonatype requires (non-snapshot version) artifacts gpg-signed; public openpgp keys should uploaded (mit) key server.

but can create openpgp key name e-mail , upload them key server. there (as far know; or wrong?) no automatic mechanism in place associate particular software project/library particular public key. sure, if wants check authenticity of artifacts, 1 can request public key software authors, or perhaps key published somewhere (in way associates particular software project); since can not done automatically, hardly ever it.

so seems whole openpgp-signing procedure, being quite technical , time-consuming, serves more instill false sense of security providing security average user.

so shouldn't there automatic/streamlined way associate software projects openpgp keys make whole thing secure?

applying openpgp signatures allows others verify authorship through web of trust. indeed is rather complicated approach rather steep learning curve, not enforced default.

sander mak wrote excellent introduction verification of openpgp signatures in maven.. sadly, not show better way performing automatic verification using commercial software maven central proxy:

automatic verification?

by now, must thinking 'that awful lot of work verify single dependency'. , you're absolutely right. applications typically use many dependencies, , checking them hand becomes tedious. in opinion, there huge opportunity maven-based build tools support automatic pgp signature verification. until case though, can use sonatype's nexus repository manager proxy maven central. can automatically check pgp signatures proxied artifacts , refuse serve them when signature check fails. unfortunately, possible using commercial version nexus pro, not open source version.

i came across rather new project, verify pgp signatures plugin (code on github), maven artifact verify openpgp signatures of other artifacts , enables whitelist keys allowed sign given artifacts.


Comments

Post a Comment

Popular posts from this blog

Magento/PHP - Get phones on all members in a customer group -

i working on custom magento extension. working around adminhtml part , i've created custom form there. here form code: <?php class vivasindustries_smsnotification_block_adminhtml_sms_sendmass_edit_form extends mage_adminhtml_block_widget_form { public function _preparelayout() { $extensionpath = mage::getmoduledir('js', 'vivasindustries_smsnotification'); $head = $this->getlayout()->getblock('head'); $head->addjs('jquery.js'); $head->addjs('vivas.js'); return parent::_preparelayout(); } protected function _prepareform() { $form = new varien_data_form(array( 'id' => 'edit_form', 'action' => $this->geturl('*/*/save', array('id' => $this->getrequest()->get
Read more

php - .htaccess mod_rewrite for dynamic url which has domain names -

i want convert url ex:( example.com/link.php?url=facebook.com ) ( example.com/facebook.com.php ) how can using .htaccess. or there other process make job easier ? i tried adding script .htaccess file options +followsymlinks rewriteengine on rewriterule url-(.*)\.htm$ link.php?url=$1 but converting url adding "url-" ( example.com/url-facebook.com.php ) i want remove "url-" , want make ( example.com/facebook.com.php ) rewriteengine on rewritecond %{the_request} ^get.*link\.php\?url\= [nc] rewritecond %{request_uri} !/system/.* [nc] rewriterule (.*?)link\.php\?url\=/*(.*) /$1$2 [r=301,ne,l] not sure how above work edit of used use remove index.php url
Read more

Website Login Issue developed in magento -

i have website developed using magento . able login. right now, login failed. infact operations interacts user table failing. need know issue. how figure out? first clear try clear log file second make sure have not upgraded magento and 3rd make sure db accessible in magento -harry p
Read more