New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Also verify the pgp signatures of maven plugins #5
Comments
After thinking some more on this I realize that this is maybe functionality that needs to be in maven itself, as someone could just inject a fake version of this plugin itself. Could still be somewhat useful, if you have this functionality you only need to verify this plugin manually, and this plugin will then verify the rest of the build. |
I opened an issue with maven itself: https://issues.apache.org/jira/browse/MNG-5814 as this is something that's impossible to do with a plugin. |
I have started to consider a different approach to solve the insecure downloads of plugins (and other artifacts) issue: |
I created a bug about this problem in the maven bug tracker a long time I haven't followed that up. I'll think about your design a bit, my initial gut feeling is that it //Alex 2016-04-17 10:14 GMT+02:00 Markus notifications@github.com:
|
I'm curious to hear what your currents thoughts are on this! I'd love to have my code built by code that's fully signed soup-to-nuts! thanks |
thx to @cobratbq |
Another attack vector would be to inject a fake version of a maven plugin that the build uses.
Would it be possible to verify the asc files of the maven plugins that are downloaded?
The text was updated successfully, but these errors were encountered: