|
Hi there, I was reading today on how RubyGems (the Ruby equivalent of Maven central) got a malicious gem uploaded due to a security vulnerability and how they're verifying the rest of the gems(more info at https://status.heroku.com/incidents/489). It got me curious as to how this affects my play app, so using sbt-pgp 0.6, I ran check-pgp-signatures. It seems that the play 2.0.4 artifacts are unsigned: [info] ----- PGP Signature Results ----- [info] � � � � � � � �com.google.apis : �google-api-services-oauth2 : v2-rev26-1.12.0-beta : jar � [MISSING] [info] � � � � � � � � �commons-email : � � � � � � � commons-email : � � � � 1.2-SNAPSHOT : jar � [MISSING] [info] � � � � � � � org.bouncycastle : � � � � � � �bcprov-jdk15on : � � � � � � � � 1.47 : jar � [MISSING] [info] � � � � � � � � � � � � � play : � � � � � � play-test_2.9.1 : � � � � � � � �2.0.4 : jar � [MISSING] [info] � � � � � � � � � � � � � play : � � � � � � � � �play_2.9.1 : � � � � � � � �2.0.4 : jar � [MISSING] [info] � � � � �com.google.api-client : � � � � � google-api-client : � � � � �1.12.0-beta : jar � [UNTRUSTED(0x978e282a)] [info] � � � � � � � com.google.guava : � � � � � � � � � � � guava : � � � � � � � � 11.0 : jar � [UNTRUSTED(0x4931a76)] [info] � � � � com.google.http-client : google-http-client-jackson2 : � � � � �1.12.0-beta : jar � [UNTRUSTED(0x978e282a)] [info] � com.google.inject.extensions : � � � � guice-multibindings : � � � � � � � � �3.0 : jar � [UNTRUSTED(0x102b84d)] [info] � � � � � � �com.google.inject : � � � � � � � � � � � guice : � � � � � � � � �3.0 : jar � [UNTRUSTED(0x102b84d)] ... Are there plans, in the future, to sign the play framework artifacts? Also, are there other developers checking their artifacts signatures, and if so, how do you do it and what do you think are the best practices in that regards? Thanks in advance, -JF asked Jan 30 2013 at 15:06 |