incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niclas Hedhman" <>
Subject Re: status of PGP support in Maven
Date Tue, 07 Oct 2008 03:39:20 GMT
On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <> wrote:

> There are maven plugins that can validate the checksums of 3rd party
> dependencies.

Uhhh... Call me stupid, but how can checksum solve anything other than
assuring that the download worked?? AFAIK, Maven does not pick up the
checksums from the "authorative" server and validates it against the
mirrored one. Perhaps that has changed since "back then"... And even
then, how hard can it be to get the same 1024/2048/65536/... bit
checksum by modifying that many 'extra' or 'unused' bits?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message