ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Conor MacNeill <>
Subject Re: validating content in Maven repositories
Date Sat, 23 Oct 2004 01:25:05 GMT
As far as I can tell, MD5s from the same server can only tell you about 
download corruption. MD5s from a separate, "trusted" server for a 
download verify the remote machine's content is correct with respect to 
the trusted version. This is important for mirroring - if you look at 
Ant's download page, the zips are sourced from a mirror but the MD5s 
point to the version.

To properly validate a download, it does need to be signed. We currently 
do that but there is no guaranteed trust relationships set up. Once we 
get to the question of a CA, you need to include ASF-wide infrastructure 
people in the discussion. I think there may be some overhead in managing 
that for the whole ASF


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message