incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting" <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 21:59:45 GMT

On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr.
<> wrote:
> Since the hash is not security, it's not terribly important, eh?

Hashes are a perfect tool for verifying message integrity. They won't
prove origin like signatures do, but verifiable integrity is hardly
*not* security.

Verifying integrity is what Hiram is trying to achieve with his
plugin. I.e. ensuring that the dependencies on the repository (or in
transit from the repository to the user) haven't been tampered with.

You have a valid concern about how the the upstream developer can
trust his dependencies. Hiram has a valid solution to the security of
the downstream user who builds a source release (with Maven
dependencies) from the upstream developer that he trusts.

PS. Should we take this somewhere else than general@incubator. It's
hardly on topic here.


Jukka Zitting

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message