ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <>
Subject validating content in Maven repositories
Date Fri, 22 Oct 2004 22:03:01 GMT
Lets assume that I am writing a task to download jar files from remote
places. No more specifics, as I will only get feature requests :)

Now lets assume that the maven repository is an obvious place of stuff,
and one class of repository to work with. Maven repositories have
(a) the jar files
(b) md5 signatures (e.g. ->
4dd8dfba17f9567f5a4dcc4005c7d6a7 )

So to verify stuff I could fetch the jars and then the md5 signatures &
make sure the jar matches the signature.

But what good does this do? If the server is subverted, the md5
checksums are corruptible too! The only way to secure it is one of

1. checksums to live on  an http server you trust
2. things to be signed by a CA you trust. 

There must be something I am missing here. Also, can/should we declare
ourselves a CA and sign all our ant jars.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message