[Yanel-dev] Maven trouble and missing signatures
Josias Thöny
josias.thoeny at wyona.com
Mon Apr 28 09:06:07 CEST 2008
Michael Wechner wrote:
> Hi
>
> I have recently tried to install yanel from scratch on a fresh unix
> account, where no Maven libs are located.
>
> It didn't work, because it seems one of the public maven servers did
> deliver broken libs (e.g. log4j or servlet lib)
>
> Through this I have realized that the libs hosted by Wyona also are
> missing signatures, which is quite some security problem in case
> somebody would be able to login and the replace the libs with something
> else.
>
> I think we should do two things
>
> 1) Create signatures for our hosted libs and make the signatures
> available on some different server so that they cannot be replaced as
> the libs might be exchanged
>
> 2) Configure the build process such that if a signature check fails,
> then also the build process fails
>
> WDYT?
Some time ago I put a simple shell script into ~/bin called md5.sh which
creates md5 checksums of all jar/pom files in a directory.
Here is an example how to use it:
cd
~/src/realms/maven2/data/wyona-org-security/wyona-org-security-impl/0.0.1-dev-r30015
md5.sh
josias
>
> Cheers
>
> Michi
>
--
Josias Thöny
Wyona - Open Source Content Management
http://www.wyona.com
More information about the Yanel-development
mailing list