[Yanel-dev] Maven trouble and missing signatures
Michael Wechner
michael.wechner at wyona.com
Wed Apr 30 08:51:04 CEST 2008
Josias Thöny wrote:
> Michael Wechner wrote:
>
>> Hi
>>
>> I have recently tried to install yanel from scratch on a fresh unix
>> account, where no Maven libs are located.
>>
>> It didn't work, because it seems one of the public maven servers did
>> deliver broken libs (e.g. log4j or servlet lib)
>>
>> Through this I have realized that the libs hosted by Wyona also are
>> missing signatures, which is quite some security problem in case
>> somebody would be able to login and the replace the libs with
>> something else.
>>
>> I think we should do two things
>>
>> 1) Create signatures for our hosted libs and make the signatures
>> available on some different server so that they cannot be replaced as
>> the libs might be exchanged
>>
>> 2) Configure the build process such that if a signature check fails,
>> then also the build process fails
>>
>> WDYT?
>
>
> Some time ago I put a simple shell script into ~/bin called md5.sh
have you checked that in somewhere?
> which creates md5 checksums of all jar/pom files in a directory.
> Here is an example how to use it:
>
> cd
> ~/src/realms/maven2/data/wyona-org-security/wyona-org-security-impl/0.0.1-dev-r30015
>
> md5.sh
maybe we can also use
http://ant.apache.org/manual/CoreTasks/checksum.html
and make it part of the build process
WDYT?
Cheers
Michi
>
> josias
>
>>
>> Cheers
>>
>> Michi
>>
>
>
--
Michael Wechner
Wyona - Open Source Content Management - Yanel, Yulup
http://www.wyona.com
michael.wechner at wyona.com, michi at apache.org
+41 44 272 91 61
More information about the Yanel-development
mailing list