Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds

>  Please talk to security experts about threat modelling and mitigation.

Please read about the "SolarWinds" attack [1] to see that signing helps for nothing as long as your "trusted system" it tampered :-)

But I think that's far out of topic here... signing of content is simply not a concern of that new feature as consuming artifacts from P2 sites does not guarantee signing either.


Am 21.01.21 um 16:24 schrieb Gunnar Wagenknecht:
On Jan 21, 2021, at 16:12, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
If someone has access to your machine to tamper any file your almost lost and signatures does not help. A signature only provides you with some kind of trust of the origin and was not tampered on transit.

The claims in this statement apply to a narrow scenario and simply don't hold true in the broader case. Please talk to security experts about threat modelling and mitigation.

Signed content is a fine way of verifying that content has not been tempered with. Any re-signing requires either access to the original signing key (which webmasters protect) or injecting a new authority into a trust system, which *if* done properly, requires a different level of file system access than the process with write access to plugin jar files would have.


tycho-user mailing list
To unsubscribe from this list, visit

Back to the top