Central and Man-in-the-middle

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Central and Man-in-the-middle

Mark Derricutt
Hey all,

Just been reading [1] after it was mentioned in both #scala and #clojure
on irc.freenode.org now, is there anything that can be done to alleviate
some of these issues?

oss.sonatype.org now requires everything to be GPG signed before being
uploaded to central, but I'm not sure about any of the other means of
getting artifacts uploaded.

Are there any plugins out there to verify GPG signings of dependencies?

Something to discuss on the dev-hangout maybe?


[1] https://news.ycombinator.com/item?id=8099713

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Central and Man-in-the-middle

Brian Fox-2
We are already in the process of making this open for free to
everyone. Way back in 2012 the CDN situation was different but we just
renewed the contract and and ssl is part of it. Once this is setup, we
should consider changing the superpom to use ssl by default.

Obviously doing something to validate pgp signatures is even better.

On Mon, Jul 28, 2014 at 10:14 PM, Mark Derricutt <[hidden email]> wrote:

> Hey all,
>
> Just been reading [1] after it was mentioned in both #scala and #clojure on
> irc.freenode.org now, is there anything that can be done to alleviate some
> of these issues?
>
> oss.sonatype.org now requires everything to be GPG signed before being
> uploaded to central, but I'm not sure about any of the other means of
> getting artifacts uploaded.
>
> Are there any plugins out there to verify GPG signings of dependencies?
>
> Something to discuss on the dev-hangout maybe?
>
>
> [1] https://news.ycombinator.com/item?id=8099713
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Central and Man-in-the-middle

brettporter
Administrator
In reply to this post by Mark Derricutt

On 29 Jul 2014, at 12:14 pm, Mark Derricutt <[hidden email]> wrote:

> Hey all,
>
> Just been reading [1] after it was mentioned in both #scala and #clojure on irc.freenode.org now, is there anything that can be done to alleviate some of these issues?
>
> oss.sonatype.org now requires everything to be GPG signed before being uploaded to central, but I'm not sure about any of the other means of getting artifacts uploaded.
>
> Are there any plugins out there to verify GPG signings of dependencies?

If anyone is interested in picking up work on this, I pulled some things together some years ago: http://docs.codehaus.org/display/MAVEN/Repository+Security

There was a working prototype against Maven 2, but for various reasons didn't get further than that.

- Brett


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Central and Man-in-the-middle

Hervé BOUTEMY
direct control by Maven while downloading dependencies seems ideal, but I fear
it's hard to have normal users aware of keys and manage it while building
their artifacts

I imagine something useful would be some report too, to display the status of
actual dependencies: imagine adding key reference to every dependency in
dependencies report [1]

Anybody interested in coding such improvement?
or any other idea?

Definitely, seems the right moment to improve users awareness about security:
IMHO, people will discover that security isn't automagic and will require
involvement to decide what to trust and what to not trust, and that trust is a
personal choice

Regards,

Hervé

[1] http://maven.apache.org/plugins/maven-dependency-plugin/dependencies.html

Le mardi 29 juillet 2014 13:31:30 Brett Porter a écrit :

> On 29 Jul 2014, at 12:14 pm, Mark Derricutt <[hidden email]> wrote:
> > Hey all,
> >
> > Just been reading [1] after it was mentioned in both #scala and #clojure
> > on irc.freenode.org now, is there anything that can be done to alleviate
> > some of these issues?
> >
> > oss.sonatype.org now requires everything to be GPG signed before being
> > uploaded to central, but I'm not sure about any of the other means of
> > getting artifacts uploaded.
> >
> > Are there any plugins out there to verify GPG signings of dependencies?
>
> If anyone is interested in picking up work on this, I pulled some things
> together some years ago:
> http://docs.codehaus.org/display/MAVEN/Repository+Security
>
> There was a working prototype against Maven 2, but for various reasons
> didn't get further than that.
>
> - Brett
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Central and Man-in-the-middle

Bernd Eckenfels
Hello,

I have started a POC a while back which can "lock" dependencies by a
special checksum file. However it is not really secure as a plugin, as
you cannot avoid other plugins overwrite yourself.

It is not finished, it was an execise in some internal maven apis:

https://github.com/ecki/lockdep-maven-plugin

There is a productive plugin which can generate checksums, but not
check them:

https://github.com/nicoulaj/checksum-maven-plugin

Greetings
Bernd

BTW: Bintray' jcenter mirrors central and other stuff and offers SSL, of
course it adds additional possibilities to inject malicious stuff.
And yes, there are PGP files, but not really a good way to verify
them. I wish ASF infra would publish a md5sum of their maven2
directory.

 Am Tue, 29 Jul 2014
22:14:33 +0200 schrieb Hervé BOUTEMY <[hidden email]>:

> direct control by Maven while downloading dependencies seems ideal,
> but I fear it's hard to have normal users aware of keys and manage it
> while building their artifacts
>
> I imagine something useful would be some report too, to display the
> status of actual dependencies: imagine adding key reference to every
> dependency in dependencies report [1]
>
> Anybody interested in coding such improvement?
> or any other idea?
>
> Definitely, seems the right moment to improve users awareness about
> security: IMHO, people will discover that security isn't automagic
> and will require involvement to decide what to trust and what to not
> trust, and that trust is a personal choice
>
> Regards,
>
> Hervé
>
> [1]
> http://maven.apache.org/plugins/maven-dependency-plugin/dependencies.html
>
> Le mardi 29 juillet 2014 13:31:30 Brett Porter a écrit :
> > On 29 Jul 2014, at 12:14 pm, Mark Derricutt <[hidden email]> wrote:
> > > Hey all,
> > >
> > > Just been reading [1] after it was mentioned in both #scala and
> > > #clojure on irc.freenode.org now, is there anything that can be
> > > done to alleviate some of these issues?
> > >
> > > oss.sonatype.org now requires everything to be GPG signed before
> > > being uploaded to central, but I'm not sure about any of the
> > > other means of getting artifacts uploaded.
> > >
> > > Are there any plugins out there to verify GPG signings of
> > > dependencies?
> >
> > If anyone is interested in picking up work on this, I pulled some
> > things together some years ago:
> > http://docs.codehaus.org/display/MAVEN/Repository+Security
> >
> > There was a working prototype against Maven 2, but for various
> > reasons didn't get further than that.
> >
> > - Brett
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Central and Man-in-the-middle

Brian Fox-2
In reply to this post by Brian Fox-2
http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/

--Brian (mobile)


> On Jul 28, 2014, at 11:06 PM, Brian Fox <[hidden email]> wrote:
>
> We are already in the process of making this open for free to
> everyone. Way back in 2012 the CDN situation was different but we just
> renewed the contract and and ssl is part of it. Once this is setup, we
> should consider changing the superpom to use ssl by default.
>
> Obviously doing something to validate pgp signatures is even better.
>
>> On Mon, Jul 28, 2014 at 10:14 PM, Mark Derricutt <[hidden email]> wrote:
>> Hey all,
>>
>> Just been reading [1] after it was mentioned in both #scala and #clojure on
>> irc.freenode.org now, is there anything that can be done to alleviate some
>> of these issues?
>>
>> oss.sonatype.org now requires everything to be GPG signed before being
>> uploaded to central, but I'm not sure about any of the other means of
>> getting artifacts uploaded.
>>
>> Are there any plugins out there to verify GPG signings of dependencies?
>>
>> Something to discuss on the dev-hangout maybe?
>>
>>
>> [1] https://news.ycombinator.com/item?id=8099713
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>