incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting" <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 19:01:15 GMT

On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
<> wrote:
> Not if there is a man in the middle attack.  If you didn't notice the
> recent noise w.r.t. DNS pollution, that's the very point of that vector.
> Had it been exploited, tens of thousands of download users could have
> been presented with inauthentic maven artifacts, complete with their
> freshly corresponding checksums.  Welcome to the internet.

Using Hiram's plugin the checksums are already stored in the project
that you're building and which you typically got either by checking it
out of svn or by downloading a source release, both of which are
separate from the Maven repository.

Once you've confident that the sources you have are not compromised,
the included checksums will verify that the dependencies that were
downloaded by Maven are also valid (i.e. the same binaries that the
original developer used).

The checksums are _not_ downloaded from the Maven repository.


Jukka Zitting

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message