incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: status of PGP support in Maven
Date Tue, 07 Oct 2008 13:21:33 GMT
On Mon, Oct 6, 2008 at 11:39 PM, Niclas Hedhman <> wrote:
> On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <> wrote:
>> There are maven plugins that can validate the checksums of 3rd party
>> dependencies.
> Uhhh... Call me stupid, but how can checksum solve anything other than
> assuring that the download worked?? AFAIK, Maven does not pick up the
> checksums from the "authorative" server and validates it against the
> mirrored one. Perhaps that has changed since "back then"... And even
> then, how hard can it be to get the same 1024/2048/65536/... bit
> checksum by modifying that many 'extra' or 'unused' bits?

Because we would be including the checksum in the source code of the
project that needs the dependency.  I guess I failed to say that the
checksum needs to a cryptographic checksum and not one of your CRC
variates.  That way it's computationally difficult to figure out which
bits you need to pad to get the same checksum.

So like I said, once you start doing that maven is about as secure as
any other build tool that we currently use at the ASF.

> Cheers
> Niclas
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message