incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 14:59:43 GMT
On 18/09/2008, Hiram Chirino <> wrote:
> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
> <> wrote:
> > Similarly, the issue of signature validation is a significant flaw which
>  > I also hope maven addresses even more promptly, and which they are aware
>  > of.  The alternatives are to take down maven until it is secure, or to
>  > continue to populate maven with various released artifacts.  And this too
>  > isn't germane to the question above, which is;
> The signature validation issue has a simple fix which I have already
>  mentioned earlier.  I'm not sure why folks continue to think it's
>  still a problem.  All the projects need to do is enable a checksum
>  validation plugin, and at least that problem is resolved.

Not sure I agree that the checksum plugin solves the problem.

As far as I can tell, all that the plugin does is to detect any
changes to dependencies that occur *after the checksum list is
initially generated*

Unless I'm mistaken, it does not guard against the orignal dependency
already being corrupt, nor does it protect the product itself.

What's to stop the checksum list being corrupted?

>  --
>  Regards,
>  Hiram
>  Blog:
>  Open Source SOA
>  ---------------------------------------------------------------------
> To unsubscribe, e-mail:
>  For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message