Hi all,
I'm asking here since as far as I understand, the WG now owns SimRel and has become the entity that can decide of its requirements. Please correct me if I'm wrong.
We are facing a big issue these days: it becomes impossible to keep up-to-date with some upstream deps beause of the jarsigning requirement.
One example is Jetty: Platform needs to frequently update to newer Jetty, because of CVEs (CVEs are considered as important by Platform project), but upgrading to newer Jetty requires a *lot* of effort because Jetty doesn't use jarsigning so Platform has to maintain a site of Jetty artifacts that are jarsigned just to be compatible with SimRel. This effort has been growing and required more frequently, it doesn't scale, waste manpower that would be better spent on features or UX or other performance optimizations.
So we'd really like to see this requirement moving away. On this direction, we have prepared some initial work allowing to store PGP signatures in p2 metadata.
However, this technical achievement doesn't answer the one and only question that would allow to kiss jarsigner requirement goodbye: what is the security we want for SimRel? What kind of verifications do we want to be able to do?
Thanks in advance for your insights