incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 18:26:29 GMT
Hiram Chirino wrote:
> So the responsibility is still on us, the upstream distributor, to
> verify the the checksums we list in our source distro are correct.
> But at least by doing this, down stream users of our source distros
> can rest assured that the dependencies that they are using are the
> correct ones.

Not if there is a man in the middle attack.  If you didn't notice the
recent noise w.r.t. DNS pollution, that's the very point of that vector.
Had it been exploited, tens of thousands of download users could have
been presented with inauthentic maven artifacts, complete with their
freshly corresponding checksums.  Welcome to the internet.

Checksums are not security.  They are nothing but error checking.

>> What's to stop the checksum list being corrupted?

Now you are thinking :)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message