[Yanel-dev] Maven trouble and missing signatures
Michael Wechner
michael.wechner at wyona.com
Sat Apr 26 00:25:42 CEST 2008
Michael Wechner wrote:
> Hi
>
> I have recently tried to install yanel from scratch on a fresh unix
> account, where no Maven libs are located.
>
> It didn't work, because it seems one of the public maven servers did
> deliver broken libs (e.g. log4j or servlet lib)
>
> Through this I have realized that the libs hosted by Wyona also are
> missing signatures, which is quite some security problem in case
> somebody would be able to login and the replace the libs with
> something else.
>
> I think we should do two things
>
> 1) Create signatures for our hosted libs and make the signatures
> available on some different server so that they cannot be replaced as
> the libs might be exchanged
>
> 2) Configure the build process such that if a signature check fails,
> then also the build process fails
btw, by signature I mean checksum
http://maven.apache.org/plugins/maven-install-plugin/examples/installing-checksums.html
Also see for example
http://www.win.tue.nl/hashclash/SoftIntCodeSign/
http://ant.apache.org/manual/CoreTasks/checksum.html
http://people.apache.org/~henkp/checker/doc.html#what-is
Also "release integrity" http://tomcat.apache.org/download-55.cgi
Cheers
Michael
>
> WDYT?
>
> Cheers
>
> Michi
>
--
Michael Wechner
Wyona - Open Source Content Management - Yanel, Yulup
http://www.wyona.com
michael.wechner at wyona.com, michi at apache.org
+41 44 272 91 61
More information about the Yanel-development
mailing list