search

adept-dm / adept

Adept - the predictable dependency management system
171 stars 10 forks source link

Package signatures? #31

Open copumpkin opened 10 years ago

copumpkin commented 10 years ago

In http://adepthub.com/blog/2014/02/19/resolution-engine-0, you write that:

because the actual matching in Adept is redonkulously simple and only does equality. If you want binary version 2.2, that is what you're getting. In the same way, you can get libraries with "license" equal to "apache2" or have only the ones with "QA department seal of approval" equal to "approved".

The "seal of approval" part got me wondering about cryptographic signatures on packages. Since those would be a function of the package contents, it wouldn't be a pure equality check, but would rather be a signature verification against some list of approved public keys (or some PKI hierarchy). Is that a planned feature or do you have thoughts on it?

freekh commented 10 years ago

When it comes to security there are 2 separate issues to address: the metadata (packages) and the artifacts (jars, other files). The artifacts just have a cryptographic hash for now, but I am planning on adding signatures to them as well. On packages though I am not sure how the security model should look like actually. It is something I want to address, but there are a lot of other stuff I want to fix for the hopefully upcoming alpha :) Before a beta launch though, this will be something somebody (me / community once I get one :) must definitely have a look at.

To be clear: what I am talking about in the resolution engine blog article is just how you can do resolution on not only module Ids and versions, but multiple on fields. This means that library authors can enable/force the users to take a decision: which binary version do you want? do you use a QA department approved build or do use a SNAPSHOT/locally built version? etc etc Thus, it is a different mechanism than the "QA departement seal of approval” which is just an example of how flexible the resolution engine.

On 09 May 2014, at 18:41, Daniel Peebles notifications@github.com wrote:

In http://adepthub.com/blog/2014/02/19/resolution-engine-0, you write that:

because the actual matching in Adept is redonkulously simple and only does equality. If you want binary version 2.2, that is what you're getting. In the same way, you can get libraries with "license" equal to "apache2" or have only the ones with "QA department seal of approval" equal to "approved".

The "seal of approval" part got me wondering about cryptographic signatures on packages. Since those would be a function of the package contents, it wouldn't be a pure equality check, but would rather be a signature verification against some list of approved public keys (or some PKI hierarchy). Is that a planned feature or do you have thoughts on it?

— Reply to this email directly or view it on GitHub.