s4u / pgp-keys-map Goto Github PK
View Code? Open in Web Editor NEWPGP keys map to maven artifacts
License: Apache License 2.0
PGP keys map to maven artifacts
License: Apache License 2.0
I'm considering to configure the (default) build plug-ins in pgp-keys-map-test1
and pgp-keys-map-test2
to not execute during install
/deploy
builds. To avoid these artifacts from showing up in local repositories. We would need to disable 3+ build plug-ins, so makes it a bit verbose.
What do you think?
The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
I'm observing
Error: Not allowed artifact org.codehaus.plexus:plexus-utils:jar:4.0.0 and keyID:
org.codehaus.plexus:plexus-utils:4.0.0 = 0xEA23DB1360D9029481E7F2EFECDFEA3CB4493B94
Is your feature request related to a problem? Please describe.
For a large open source project, new committers may be brought on-board and given PGP keys. After which they are able to stage releases for voting.
Describe the solution you'd like
I would like KeyMapLocation to be a URL, so my project does not need to be updated for every change to the membership
Describe alternatives you've considered
Alternatively, I could download the file and keep it in the project repo
Additional context
I hope the request is clear enough, and maybe the feature already exists? If so please perhaps point me to the docs.
Thanks!
The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
Describe the solution you'd like
I'd like to have com.google.j2objc:j2objc-annotations:*
included in official map.
Describe alternatives you've considered
I've added
com.google.j2objc:j2objc-annotations:* = 0xEB1B3DE71713C9EC2E87CC26EE92349AD86DE446
to additional map used by project, but I'd rather have the key be included in official map.
Additional context
Error: Not allowed artifact com.google.j2objc:j2objc-annotations:jar:2.8 and keyID:
com.google.j2objc:j2objc-annotations:2.8 = 0xEB1B3DE71713C9EC2E87CC26EE92349AD86DE446
https://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xEB1B3DE71713C9EC2E87CC26EE92349AD86DE446
The workflow pr.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
I'm looking into verifying all org.apache.maven.plugins
artifacts in one go. I'm working on a script to pull in everything, then download all the keys and do all the verification. It seems useful to have a reliable baseline for all the implicit plugins that maven uses. (I"ve done some work already and found some bad signatures along the way :-P)
But I'm a bit at a loss of how we're going to test all those jars. I was thinking, we do not have to perform the artifact validation through maven itself, because pgpverify-maven-plugin
is the project that needs to work inside maven. But the keys map
file may be tested in other ways.
@slawekjaranowski do you have any idea on how we could verify it if I provide you with an update to the keys-map-list
that includes fingerprints for all versions of all these artifacts?
The workflow pr.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
Okay ... this one might be a bit nasty ... but I think we can (ab)use build plug-ins dependencies to list other versions of dependencies.
Maven seems to treat build plug-ins differently:
I'm thinking, we only need a way to list multiple versions of dependencies. So, if we create/find a no-op build plug-in that does not rely on further dependencies, we add this build plug-in as many times as we need (with different ids), then add alternative versions of dependencies to it.
With s4u/pgpverify-maven-plugin#56, we will simply read all dependencies and process their artifacts. The solution is not very elegant, but it could be very effective.
The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.