[slf4j-user] Signatures for verifying Slf4j

Elisha Ebenezer elisha.ebenezer at gmail.com
Thu May 13 08:01:12 CEST 2010 

Ceki,
I've raised the bug report upon your suggestion.
Bug#183<http://bugzilla.slf4j.org/show_bug.cgi?id=183>

However, I still request you to specify the md5/sha1 checksums on your site.

This will help us to atleast convince our security team that, integrity of
the downloaded files can be verified.

Please do the needful.
Thanks,
Elisha Ebenezer.

On Wed, May 12, 2010 at 2:44 PM, Ceki Gülcü <ceki at qos.ch> wrote:

> Hello Elisha,
>
> I can't immediately add signatures to our jars. However, please enter
> a bug report and I'll look into it.
>
>
> On 12/05/2010 10:03 AM, Elisha Ebenezer wrote:
>
>> Hi Ceki,
>>
>> Can you please provide us an update on when can we expect the
>> slf4j (and logback) shipped as signed jars. And also, please consider
>> publishing md5/sha1 checksums on your site.
>> This would help us to push for using slf4j in security-conscious
>> organizations.
>> Thanks,
>> Elisha Ebenezer
>>
>> On Sat, May 8, 2010 at 8:44 PM, Joern Huxhorn <jhuxhorn at googlemail.com
>>  <mailto:jhuxhorn at googlemail.com>> wrote:
>>
>>    Hi Jeff,
>>
>>    thank you very much for this information and your article! I wasn't
>>    aware of this plugin.
>>
>>    I just changed my build process for Lilith accordingly.
>>    See
>>
>> http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f
>>
>>    I had to jump through some loops, though, since I have gpg2 instead
>>    of gpg:
>>
>>    The following two properties had to be added to my pom:
>>    <gpg.useagent>true</gpg.useagent>
>>    <gpg.keyname>740A1840</gpg.keyname>
>>
>>    The first one makes sure that gpg isn't complaining about an invalid
>>    option (--no-use-agent was removed in gpg2) and doesn't ask for a
>>    passphrase anymore.
>>    This was quite tricky since the documentation of maven-gpg-plugin
>>    says that it's called useAgent, which it isn't!
>>
>>    The second one selects the correct key used for the signature -
>>    which is a good idea if you have more than one.
>>
>>    I wanted to comment on your article but, unfortunately, comments are
>>    disabled.
>>
>>    Cheers,
>>    Joern.
>>
>>    On 08.05.2010, at 03:23, Jeff Jensen wrote:
>>
>>      It is best if the artifacts are signed.  Sometime in the near
>>>    future, Central/Nexus will not accept artifacts without being signed.
>>>    This would prove the source for you more than the hashes.
>>>    Ceki: you should start signing the release artifacts.  It is very
>>>    easy - I’ve done it already on a few products and Sonatype has a
>>>    very good page describing how.  Maven will do it automatically for
>>>    you:
>>>
>>> http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven
>>>    *From:* slf4j-user-bounces at qos.ch
>>>    <mailto:slf4j-user-bounces at qos.ch>
>>>    [mailto:slf4j-user-bounces at qos.ch
>>>    <mailto:slf4j-user-bounces at qos.ch>] *On Behalf Of *Joern Huxhorn
>>>    *Sent:* Friday, May 07, 2010 3:50 AM
>>>    *To:* User list for the slf4j project
>>>    *Subject:* Re: [slf4j-user] Signatures for verifying Slf4j
>>>    One solution could be the use of signed tags for SLF4J and Logback.
>>>    That way it would be possible to pull the git repository, check
>>>    the signature of the tag and build SLF4J and Logback yourself
>>>    afterwards.
>>>    I think the MD5 and SHA1 of Maven repository are merely a way to
>>>    prevent corrupted files, not an actual security feature.
>>>    Cheers,
>>>    Joern.
>>>    On 07.05.2010, at 09:26, Elisha Ebenezer wrote:
>>>
>>>
>>>    Hi Ceki,
>>>    I'm trying to push to use Slf4j and logback in our project and my
>>>    company wants me to get the MD5 or SHA1 hashes or the code-signing
>>>    certs to verify the integrity of downloaded files.
>>>
>>>    Though repo1.maven.org <http://repo1.maven.org/> site provides the
>>>
>>>    hashes, we are not sure whether the war and the hash are uploaded
>>>    by genuine party or not.
>>>
>>>    As you are the owner of the project, I request you to kindly
>>>    publish the hashes or certs on website's download page.. which can
>>>    be cross-checked with the downloaded war and/or also with the
>>>    maven repository.
>>>
>>>    Kindly do the needful and oblige.
>>>
>>>    Thanks,
>>>    Elisha Ebenezer. _______________________________________________
>>>
>>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://qos.ch/mailman/listinfo/slf4j-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://qos.ch/pipermail/slf4j-user/attachments/20100513/859dbace/attachment.html>

More information about the slf4j-user mailing list