Hacker News new | ask | show | jobs
by teacup50 4140 days ago
3) This creates an insane MITM opportunity.

Not only are they spitting back opaque binaries, but they're doing so by running arbitrary and untrusted user code.

There are already single-command tools for releasing a project to Maven, including tagging the release, bumping the version number in the build file, building and signing the jars, and uploading the results to a Maven repository.

Given that, why would you SaaS trusted builds!?!
1 comments
pron 4140 days ago
Well, to be fair, any public Maven repo is a MITM opportunity.
link
teacup50 4140 days ago
Maven artifacts can be GPG signed; GPG signing is required for Maven central.

It would be irresponsible to use a service like this to build binary JARs that you then signed and uploaded with your own signature guaranteeing their providence.

link
jermo 4140 days ago
Releases have to be PGP signed, snapshot's don't.

How many people do you know that verify PGP signatures of their artifacts? Do you?

link
teacup50 4139 days ago
Yes, we verify signatures at our middleware repository cache.
link
pron 4139 days ago
Really? Impressive! Where do you get the public keys? Most projects hosted on Maven Central don't publish them on their website.
link
teacup50 4138 days ago
http://blog.sonatype.com/2009/04/nexus-133-introduces-automa...
link