maxtaco
commented
5 years ago This is obviously something we think is a great idea and we'd be happy to help out if we can!
Open javabeanz opened 5 years ago
maxtaco
commented
5 years ago This is obviously something we think is a great idea and we'd be happy to help out if we can!
javabeanz
commented
5 years ago Fantastic ! Let me know if i can help here. Are you by any chance going to Fosdem 2019 ? I'll try to contact Sonatype to point out that there should be a maven-keybase plugin.
Supply chain attacks on software packages are a great risk for open source software and it use. Maven jars, nodejs packages, pypi, ruby gems etc. are often not signed, because developers find it too hard. (source: Sonatype) If we make keybase the heart of a "letssign" project (analogous to letsencrypt) a big improvement can be made in securing the use of open source libraries. At npmjs they already have started their signing efforts (see https://blog.npmjs.org/post/172999548390/new-pgp-machinery) . Please advice. If keybase if not the place for this feature request, please propose an alternative organisation or team to turn to.