[Yanel-dev] Maven trouble and missing signatures
Michael Wechner
michael.wechner at wyona.com
Sat Apr 26 00:11:51 CEST 2008
Hi
I have recently tried to install yanel from scratch on a fresh unix
account, where no Maven libs are located.
It didn't work, because it seems one of the public maven servers did
deliver broken libs (e.g. log4j or servlet lib)
Through this I have realized that the libs hosted by Wyona also are
missing signatures, which is quite some security problem in case
somebody would be able to login and the replace the libs with something
else.
I think we should do two things
1) Create signatures for our hosted libs and make the signatures
available on some different server so that they cannot be replaced as
the libs might be exchanged
2) Configure the build process such that if a signature check fails,
then also the build process fails
WDYT?
Cheers
Michi
--
Michael Wechner
Wyona - Open Source Content Management - Yanel, Yulup
http://www.wyona.com
michael.wechner at wyona.com, michi at apache.org
+41 44 272 91 61
More information about the Yanel-development
mailing list