[2.0.4] Play 2.0.4 Artifact Signature And Cross-build Injection Attacks

Hi there,
I was reading today on how RubyGems (the Ruby equivalent of Maven central) got a malicious gem uploaded due to a security vulnerability and how they're verifying the rest of the gems(more info at https://status.heroku.com/incidents/489).
It got me curious as to how this affects my play app, so using sbt-pgp 0.6, I ran check-pgp-signatures. It seems that the play 2.0.4 artifacts are unsigned:
[info] ----- PGP Signature Results -----
[info] � � � � � � � �com.google.apis : �google-api-services-oauth2 : v2-rev26-1.12.0-beta : jar � [MISSING]
[info] � � � � � � � � �commons-email : � � � � � � � commons-email : � � � � 1.2-SNAPSHOT : jar � [MISSING]
[info] � � � � � � � org.bouncycastle : � � � � � � �bcprov-jdk15on : � � � � � � � � 1.47 : jar � [MISSING]
[info] � � � � � � � � � � � � � play : � � � � � � play-test_2.9.1 : � � � � � � � �2.0.4 : jar � [MISSING]
[info] � � � � � � � � � � � � � play : � � � � � � � � �play_2.9.1 : � � � � � � � �2.0.4 : jar � [MISSING]
[info] � � � � �com.google.api-client : � � � � � google-api-client : � � � � �1.12.0-beta : jar � [UNTRUSTED(0x978e282a)]
[info] � � � � � � � com.google.guava : � � � � � � � � � � � guava : � � � � � � � � 11.0 : jar � [UNTRUSTED(0x4931a76)]
[info] � � � � com.google.http-client : google-http-client-jackson2 : � � � � �1.12.0-beta : jar � [UNTRUSTED(0x978e282a)]
[info] � com.google.inject.extensions : � � � � guice-multibindings : � � � � � � � � �3.0 : jar � [UNTRUSTED(0x102b84d)]
[info] � � � � � � �com.google.inject : � � � � � � � � � � � guice : � � � � � � � � �3.0 : jar � [UNTRUSTED(0x102b84d)]
...
Are there plans, in the future, to sign the play framework artifacts? Also, are there other developers checking their artifacts signatures, and if so, how do you do it and what do you think are the best practices in that regards?
Thanks in advance,
-JF

Are there plans, in the future, to sign the play framework artifacts?
Yes, there are now plans to do this. �However, it requires some significant changes to our build process, since currently we actually build Play twice, once for publishing to the Typesafe ivy repository, and once for the zip distribution. �We could sign jars in the Typesafe repository today, but since the contents of the jars will be different (different timestamps of the class files in the jars), the signatures in the repository won't match the signatures of the jars in the zip distribution, and this would likely lead to false alarms saying the signature check failed if someone ran check-pgp-signatures.
So it will happen, but maybe not until 2.2.
�
Thanks in advance,
-JF
-- 
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
�
�
-- 
James Roper
Software Engineer
Typesafe�-�The software stack for applications that scale
Twitter: @jroper

I am wondering about injection attacks when using cypher.� Is it possible to do injection attacks when using parameterised queries? If I was hand crafting SET statements to update say a 'username' using string concatenation I could see that someone (if they knew neo4j was the backend) could add malicious code to the 'username' that would cause unintended consequences. Is there any group knowledge
I will be using mongodb with a Java middleware layer that interacts with the db. I wanted to enumerate the possible list of injection attacks (similar to SQL injection and code injection). I realize that mongodb Java driver also accepts "raw" queries in javascript, which seems to be a good point of injection attacks. Apart from this, would there be any other venues of XSS, noSQL injection attacks
I'm sure that the killer will be destroyed. America will winn. Mihai Dumitrescu Romania
Hello all, I am wondering how I should prevent SQL injection attacks while using SQLite, MySQL has the trusted mysqli_real_escape_string, but SQLite doesn't have it's own custom function, i've tried str_replace in my code, but SQLite returns an error whenever I use a '. I've tried googling around, but I haven't found anything useful.
web site, using a virtual host and a cgi that sees all inputs, but only allows GET. I have been receiving NTLMSSP attacks as often as several per hour. Sniffing with tethereal, and examining with ethereal, I see: GET / HTTP/1.0\r\n Host: Authorization: Negotiate NTLMSSP identifter: NTLM Message type: Unknown Unrecognized NTLMSSP Message I respond as for a normal
Hi,all! Guys, it seems I've had some troubles with the server. I give you the logs files content. The first thing looks like IIS buffer overflow attack (am I right?), but what exactly do the second attack? Thanks for any tips. /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
Hi Folks, I am working on an ethnic community app, which may end up being prone to DoS attacks. According to this (below) Google App Engine FAQ, they may reimburse charges that are DoS related - which I find so nice and to point of being hard to believe. So, if true, is there any way of "hiding" my.cloudant.com and/or my.iriscouch.com site behind GAE but *without* sending all of the data back trough
Hi. I'm using Apache 2.2.22 and 2.2.16... and I wondered how vulnerable I'm for the BEAST and CRIME attacks... wrt to BEAST: I know most browsers fix that already,... but I'd rather have it really enforced by the server. Further I would not prefer to disable my AES or enabled RC4 at all. Also there are sources on the web which claim that RC4 would be actually more secure than AES. There are also
Hi, Anyone attacked with reference to below URL? http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/2013
My deepest sympathy to all Americans, It's horrible, I can still believe it. Kill everyone who is involved into these attacks Bartek Pawlik Poland Sent: Wednesday, September 12, 2001 4:28 AM