incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Wed, 17 Sep 2008 18:33:24 GMT
Hi Noel,

If the problem your trying to solve with artifact signing is detect
and reject malicious artifacts that have been deployed to hacked
repository, then there is a simpler fix that is available today.  Just
use the checksum plugin that I described here:

Basically the plugin helps you maintain a checksum database of all
dependencies needed in the build which is part of the project source
code.  It will validate that all downloaded dependencies match their
checksums before running the build.  This way you can feel safe that
all those random artifacts downloaded by maven are the actual
artifacts that the project intended you to use.

On Wed, Sep 17, 2008 at 1:19 PM, Noel J. Bergman <> wrote:
> Dan,
> It is a policy matter, not a legal one.  And enforcing artifact signing
> would address this and other crucial, fatal, flaws in Maven's repository
> management.
> I still maintain that unless Maven makes swift strides to enforce signing,
> the ASF should ban the use of the Maven repository for all ASF projects, and
> go so far as to remove all of our artifacts.
>        --- Noel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message