s4u / pgp-keys-map Goto Github PK

I'm considering to configure the (default) build plug-ins in pgp-keys-map-test1 and pgp-keys-map-test2 to not execute during install/deploy builds. To avoid these artifacts from showing up in local repositories. We would need to disable 3+ build plug-ins, so makes it a bit verbose.

What do you think?

The workflow pr.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

Describe the solution you'd like
I'd like to have com.google.j2objc:j2objc-annotations:* included in official map.

Describe alternatives you've considered
I've added

com.google.j2objc:j2objc-annotations:* = 0xEB1B3DE71713C9EC2E87CC26EE92349AD86DE446

to additional map used by project, but I'd rather have the key be included in official map.

Additional context

Error:  Not allowed artifact com.google.j2objc:j2objc-annotations:jar:2.8 and keyID:
	com.google.j2objc:j2objc-annotations:2.8 = 0xEB1B3DE71713C9EC2E87CC26EE92349AD86DE446
	https://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xEB1B3DE71713C9EC2E87CC26EE92349AD86DE446

I'm looking into verifying all org.apache.maven.plugins artifacts in one go. I'm working on a script to pull in everything, then download all the keys and do all the verification. It seems useful to have a reliable baseline for all the implicit plugins that maven uses. (I"ve done some work already and found some bad signatures along the way :-P)

But I'm a bit at a loss of how we're going to test all those jars. I was thinking, we do not have to perform the artifact validation through maven itself, because pgpverify-maven-plugin is the project that needs to work inside maven. But the keys map file may be tested in other ways.

@slawekjaranowski do you have any idea on how we could verify it if I provide you with an update to the keys-map-list that includes fingerprints for all versions of all these artifacts?

The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

The workflow pr.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

Okay ... this one might be a bit nasty ... but I think we can (ab)use build plug-ins dependencies to list other versions of dependencies.

Maven seems to treat build plug-ins differently:

1. there is no version conflict resolution (hence version ranges are not valid)
2. I suspect plug-ins may be loaded in their own classloader (not confirmed yet)

I'm thinking, we only need a way to list multiple versions of dependencies. So, if we create/find a no-op build plug-in that does not rely on further dependencies, we add this build plug-in as many times as we need (with different ids), then add alternative versions of dependencies to it.

With s4u/pgpverify-maven-plugin#56, we will simply read all dependencies and process their artifacts. The solution is not very elegant, but it could be very effective.

Is your feature request related to a problem? Please describe.
For a large open source project, new committers may be brought on-board and given PGP keys. After which they are able to stage releases for voting.

Describe the solution you'd like
I would like KeyMapLocation to be a URL, so my project does not need to be updated for every change to the membership

Describe alternatives you've considered
Alternatively, I could download the file and keep it in the project repo

Additional context
I hope the request is clear enough, and maybe the feature already exists? If so please perhaps point me to the docs.

Thanks!

I'm observing

Error:  Not allowed artifact org.codehaus.plexus:plexus-utils:jar:4.0.0 and keyID:
	org.codehaus.plexus:plexus-utils:4.0.0 = 0xEA23DB1360D9029481E7F2EFECDFEA3CB4493B94

The workflow build.yml is referencing action s4u/maven-settings-action using references v2.4.0. However this reference is missing the commit 5935b2506fdb5912d2dbbd167716193890e2fabd which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.