Setting Up Internal Repositories

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting Up Internal Repositories

Michael.CTR.Tarullo
The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.

In that section is described an option to manually download and vet releases, apparently of a remote repo.

What is meant by "vet"?  Can you provide an example of how a repo release would be vetted?  I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.

Thank you.

Mike

Michael Tarullo
Contractor (Engility Corp)
Enterprise Architect
NSRR System Administrator
FAA WJH Technical Center
(609)485-5294

Reply | Threaded
Open this post in threaded view
|

Re: Setting Up Internal Repositories

Ron Wheeler
Hard to say but checking the checksums from the author's site would be
one way to vet a release from a third party.
Opening the download and looking inside to see that the artifacts are
the ones that you were expecting is less secure but could be part of
vetting.

Ron

On 16/10/2015 12:33 PM, [hidden email] wrote:

> The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
>
> In that section is described an option to manually download and vet releases, apparently of a remote repo.
>
> What is meant by "vet"?  Can you provide an example of how a repo release would be vetted?  I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
>
> Thank you.
>
> Mike
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
>


--
Ron Wheeler
President
Artifact Software Inc
email: [hidden email]
skype: ronaldmwheeler
phone: 866-970-2435, ext 102


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Setting Up Internal Repositories

Anders Hammar
You could also check the signature against expected release managers or
similar.

/Anders (mobile)
Den 16 okt 2015 18:56 skrev "Ron Wheeler" <[hidden email]>:

> Hard to say but checking the checksums from the author's site would be one
> way to vet a release from a third party.
> Opening the download and looking inside to see that the artifacts are the
> ones that you were expecting is less secure but could be part of vetting.
>
> Ron
>
> On 16/10/2015 12:33 PM, [hidden email] wrote:
>
>> The Maven Introduction to Repositories documentation contains a section
>> that describes setting up an internal repository.
>>
>> In that section is described an option to manually download and vet
>> releases, apparently of a remote repo.
>>
>> What is meant by "vet"?  Can you provide an example of how a repo release
>> would be vetted?  I suspect this is highly dependent on the intended use of
>> the repo, but I'm just trying to get a general idea of what is involved.
>>
>> Thank you.
>>
>> Mike
>>
>> Michael Tarullo
>> Contractor (Engility Corp)
>> Enterprise Architect
>> NSRR System Administrator
>> FAA WJH Technical Center
>> (609)485-5294
>>
>>
>>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: [hidden email]
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

RE: Setting Up Internal Repositories

Michael.CTR.Tarullo
In reply to this post by Ron Wheeler
Thank you Ron.  We already do the first.  We are considering the second, but for a repo with a very large number of artifacts this is somewhat impractical.  To mitigate that, we may consider automating it.  Finally, knowing what to expect appears to present some problems to me.

Michael Tarullo
Contractor (Engility Corp)
Enterprise Architect
NSRR System Administrator
FAA WJH Technical Center
(609)485-5294

-----Original Message-----
From: Ron Wheeler [mailto:[hidden email]]
Sent: Friday, October 16, 2015 12:56 PM
To: [hidden email]
Subject: Re: Setting Up Internal Repositories

Hard to say but checking the checksums from the author's site would be one way to vet a release from a third party.
Opening the download and looking inside to see that the artifacts are the ones that you were expecting is less secure but could be part of vetting.

Ron

On 16/10/2015 12:33 PM, [hidden email] wrote:

> The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
>
> In that section is described an option to manually download and vet releases, apparently of a remote repo.
>
> What is meant by "vet"?  Can you provide an example of how a repo release would be vetted?  I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
>
> Thank you.
>
> Mike
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
>


--
Ron Wheeler
President
Artifact Software Inc
email: [hidden email]
skype: ronaldmwheeler
phone: 866-970-2435, ext 102


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Setting Up Internal Repositories

Michael.CTR.Tarullo
In reply to this post by Anders Hammar
Thank you Anders.  I think this addresses something I mentioned in my reply to Ron.

Michael Tarullo
Contractor (Engility Corp)
Enterprise Architect
NSRR System Administrator
FAA WJH Technical Center
(609)485-5294


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Anders Hammar
Sent: Friday, October 16, 2015 1:39 PM
To: Maven Users List
Subject: Re: Setting Up Internal Repositories

You could also check the signature against expected release managers or similar.

/Anders (mobile)
Den 16 okt 2015 18:56 skrev "Ron Wheeler" <[hidden email]>:

> Hard to say but checking the checksums from the author's site would be
> one way to vet a release from a third party.
> Opening the download and looking inside to see that the artifacts are
> the ones that you were expecting is less secure but could be part of vetting.
>
> Ron
>
> On 16/10/2015 12:33 PM, [hidden email] wrote:
>
>> The Maven Introduction to Repositories documentation contains a
>> section that describes setting up an internal repository.
>>
>> In that section is described an option to manually download and vet
>> releases, apparently of a remote repo.
>>
>> What is meant by "vet"?  Can you provide an example of how a repo
>> release would be vetted?  I suspect this is highly dependent on the
>> intended use of the repo, but I'm just trying to get a general idea of what is involved.
>>
>> Thank you.
>>
>> Mike
>>
>> Michael Tarullo
>> Contractor (Engility Corp)
>> Enterprise Architect
>> NSRR System Administrator
>> FAA WJH Technical Center
>> (609)485-5294
>>
>>
>>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: [hidden email]
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Setting Up Internal Repositories

Gail Stewart
In reply to this post by Michael.CTR.Tarullo
We have also had a process for documenting why we upgraded a dependency or
chose a new dependency.  We use Jira - so we would create a ticket type
that had a workflow for the approvals.  It was pretty lightweight but it
would sometimes prevent developers using multiple libraries to accomplish
the same task unnecessarily.

On Fri, Oct 16, 2015 at 1:40 PM, <[hidden email]> wrote:

> Thank you Ron.  We already do the first.  We are considering the second,
> but for a repo with a very large number of artifacts this is somewhat
> impractical.  To mitigate that, we may consider automating it.  Finally,
> knowing what to expect appears to present some problems to me.
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>
> -----Original Message-----
> From: Ron Wheeler [mailto:[hidden email]]
> Sent: Friday, October 16, 2015 12:56 PM
> To: [hidden email]
> Subject: Re: Setting Up Internal Repositories
>
> Hard to say but checking the checksums from the author's site would be one
> way to vet a release from a third party.
> Opening the download and looking inside to see that the artifacts are the
> ones that you were expecting is less secure but could be part of vetting.
>
> Ron
>
> On 16/10/2015 12:33 PM, [hidden email] wrote:
> > The Maven Introduction to Repositories documentation contains a section
> that describes setting up an internal repository.
> >
> > In that section is described an option to manually download and vet
> releases, apparently of a remote repo.
> >
> > What is meant by "vet"?  Can you provide an example of how a repo
> release would be vetted?  I suspect this is highly dependent on the
> intended use of the repo, but I'm just trying to get a general idea of what
> is involved.
> >
> > Thank you.
> >
> > Mike
> >
> > Michael Tarullo
> > Contractor (Engility Corp)
> > Enterprise Architect
> > NSRR System Administrator
> > FAA WJH Technical Center
> > (609)485-5294
> >
> >
>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: [hidden email]
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--

Gail Stewart
Sr. Release Engineer

AP & Payment Automation
125 Cambridgepark Drive
Cambridge, MA 02140
[hidden email]
617.299.3399  x148
Reply | Threaded
Open this post in threaded view
|

Re: Setting Up Internal Repositories

Wayne Fay
In reply to this post by Michael.CTR.Tarullo
Some organizations have concerns about using precompiled binaries
provided by third parties.

To "vet" a third-party provided binary would be a process to simply
compare the provided binary against the one that you could create
yourself using the same source code. A sufficiently motivated
third-party could take a perfectly clean/safe binary, inject their own
modifications, and distribute that modified version as if it were the
original version. I haven't seen this happen myself with any Java
libraries, but it could occur, at least in theory (and assuming you
don't pay attention to checksums - also realize the same person who
could secretly modify the binary could also modify the checksum).

As with everything, you need to think about what risks you are
concerned about, then devise processes to mitigate those risks. No one
here can dictate the correct approach for your organization.

Wayne

On Fri, Oct 16, 2015 at 9:33 AM,  <[hidden email]> wrote:

> The Maven Introduction to Repositories documentation contains a section that describes setting up an internal repository.
>
> In that section is described an option to manually download and vet releases, apparently of a remote repo.
>
> What is meant by "vet"?  Can you provide an example of how a repo release would be vetted?  I suspect this is highly dependent on the intended use of the repo, but I'm just trying to get a general idea of what is involved.
>
> Thank you.
>
> Mike
>
> Michael Tarullo
> Contractor (Engility Corp)
> Enterprise Architect
> NSRR System Administrator
> FAA WJH Technical Center
> (609)485-5294
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]