<div>Hi Ceki,</div>
<div>Can you please provide us an update on when can we expect the </div>
<div>slf4j (and logback) shipped as signed jars. And also, please consider publishing md5/sha1 checksums on your site. </div>
<div>This would help us to push for using slf4j in security-conscious organizations.</div>
<div>Â </div>
<div>Thanks,</div>
<div>Elisha Ebenezer<br><br></div>
<div class="gmail_quote">On Sat, May 8, 2010 at 8:44 PM, Joern Huxhorn <span dir="ltr"><<a href="mailto:jhuxhorn@googlemail.com">jhuxhorn@googlemail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div style="WORD-WRAP: break-word">
<div>Hi Jeff,</div>
<div><br></div>
<div>thank you very much for this information and your article! I wasn't aware of this plugin.</div>
<div><br></div>
<div>I just changed my build process for Lilith accordingly.</div>
<div>See <a href="http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f" target="_blank">http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f</a></div>
<div><br></div>
<div>I had to jump through some loops, though, since I have gpg2 instead of gpg:</div>
<div><br></div>
<div>The following two properties had to be added to my pom:</div>
<div>
<div><gpg.useagent>true</gpg.useagent></div>
<div><gpg.keyname>740A1840</gpg.keyname></div>
<div><br></div>
<div>The first one makes sure that gpg isn't complaining about an invalid option (--no-use-agent was removed in gpg2) and doesn't ask for a passphrase anymore.</div>
<div>This was quite tricky since the documentation of maven-gpg-plugin says that it's called useAgent, which it isn't!</div>
<div><br></div>
<div>The second one selects the correct key used for the signature - which is a good idea if you have more than one.</div>
<div><br></div>
<div>I wanted to comment on your article but, unfortunately, comments are disabled.</div></div>
<div><br></div>
<div>Cheers,</div>
<div>Joern.</div>
<div>
<div></div>
<div class="h5"><br>
<div>
<div>On 08.05.2010, at 03:23, Jeff Jensen wrote:</div><br>
<blockquote type="cite">
<div style="WORD-WRAP: break-word" lang="EN-US" vlink="purple" link="blue">
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">It is best if the artifacts are signed. Sometime in the near future, Central/Nexus will not accept artifacts without being signed.</span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Â </span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">This would prove the source for you more than the hashes.</span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Â </span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Ceki: you should start signing the release artifacts. It is very easy - I’ve done it already on a few products and Sonatype has a very good page describing how. Maven will do it automatically for you:</span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt"><a style="COLOR: blue; TEXT-DECORATION: underline" href="http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven" target="_blank">http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven</a></span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Â </span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Â </span></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><span style="FONT-FAMILY: Calibri, sans-serif; COLOR: rgb(31,73,125); FONT-SIZE: 11pt">Â </span></div>
<div>
<div style="BORDER-BOTTOM-STYLE: none; PADDING-BOTTOM: 0in; BORDER-RIGHT-STYLE: none; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-LEFT-STYLE: none; BORDER-TOP: rgb(181,196,223) 1pt solid; PADDING-TOP: 3pt">
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><b><span style="FONT-FAMILY: Tahoma, sans-serif; FONT-SIZE: 10pt">From:</span></b><span style="FONT-FAMILY: Tahoma, sans-serif; FONT-SIZE: 10pt"><span>Â </span><a style="COLOR: blue; TEXT-DECORATION: underline" href="mailto:slf4j-user-bounces@qos.ch" target="_blank">slf4j-user-bounces@qos.ch</a><span>Â </span>[mailto:<a href="mailto:slf4j-user-bounces@qos.ch" target="_blank">slf4j-user-bounces@qos.ch</a>]<span>Â </span><b>On Behalf Of<span>Â </span></b>Joern Huxhorn<br>
<b>Sent:</b><span>Â </span>Friday, May 07, 2010 3:50 AM<br><b>To:</b><span>Â </span>User list for the slf4j project<br><b>Subject:</b><span>Â </span>Re: [slf4j-user] Signatures for verifying Slf4j</span></div></div></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Â </div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">One solution could be the use of signed tags for SLF4J and Logback.</div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Â </div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">That way it would be possible to pull the git repository, check the signature of the tag and build SLF4J and Logback yourself afterwards.</div>
</div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">I think the MD5 and SHA1 of Maven repository are merely a way to prevent corrupted files, not an actual security feature.</div>
</div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Â </div></div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Cheers,</div></div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Joern.</div></div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Â </div>
<div>
<div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">On 07.05.2010, at 09:26, Elisha Ebenezer wrote:</div></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt"><br><br></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Hi Ceki,<br>I'm trying to push to use Slf4j and logback in our project and my company wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify the integrity of downloaded files.<br>
 <br>Though<span> </span><a style="COLOR: blue; TEXT-DECORATION: underline" href="http://repo1.maven.org/" target="_blank">repo1.maven.org</a><span> </span>site provides the hashes, we are not sure whether the war and the hash are uploaded by genuine party or not.<br>
 <br>As you are the owner of the project, I request you to kindly publish the hashes or certs on website's download page.. which can be cross-checked with the downloaded war and/or also with the maven repository.<br> <br>
Kindly do the needful and oblige.<br>Â <br>Thanks,<br>Elisha Ebenezer. _______________________________________________<br>slf4j-user mailing list<br><a style="COLOR: blue; TEXT-DECORATION: underline" href="mailto:slf4j-user@qos.ch" target="_blank">slf4j-user@qos.ch</a><br>
<a style="COLOR: blue; TEXT-DECORATION: underline" href="http://qos.ch/mailman/listinfo/slf4j-user" target="_blank">http://qos.ch/mailman/listinfo/slf4j-user</a></div></div>
<div style="MARGIN: 0in 0in 0pt; FONT-FAMILY: 'Times New Roman', serif; FONT-SIZE: 12pt">Â </div></div></div></div>_______________________________________________<br>slf4j-user mailing list<br><a style="COLOR: blue; TEXT-DECORATION: underline" href="mailto:slf4j-user@qos.ch" target="_blank">slf4j-user@qos.ch</a><br>
<a style="COLOR: blue; TEXT-DECORATION: underline" href="http://qos.ch/mailman/listinfo/slf4j-user" target="_blank">http://qos.ch/mailman/listinfo/slf4j-user</a></div></blockquote></div><br></div></div></div><br>_______________________________________________<br>
slf4j-user mailing list<br><a href="mailto:slf4j-user@qos.ch">slf4j-user@qos.ch</a><br><a href="http://qos.ch/mailman/listinfo/slf4j-user" target="_blank">http://qos.ch/mailman/listinfo/slf4j-user</a><br></blockquote></div>
<br>