New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to increase security #1
Comments
Each p2-repository has file "artifacts.xml" (possible with jar or xz extension). This file contains a list of bundles and their checksums (usually SHA-512, SHA-256, sometimes MD-5). All these algorithms are supported by maven and can be used to validate jars of bundles. Content of bundles is transmitted by service without modification, checksum remains unchanged. Service generates maven-specific artifacts: pom.xml, metadata-files - to adapt p2-repository structure for usage with maven. |
Thanks for getting back so quickly. Please do not take this as being ungrateful. I am just being paranoid, Is it not possible for you to repackage? How can consumers be sure that the content you are redistribution matches the original content? |
Service stores only metadata of p2-artifacts, not their binary content. For binary content service serves as proxy between customer and one of p2-repository mirror.
Maven resolver proposes different strategies to validate checksums. If default validation is not enough, customer can download artifacts.xml, extract checksums for all p2-repository artifacts and use it to validate service output. In this case validation will be absolute independent. |
Thank you for this service. 馃檹
How can we know that what you provide as bundles is safe?
The text was updated successfully, but these errors were encountered: