ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: validating content in Maven repositories
Date Tue, 26 Oct 2004 09:17:36 GMT
<conor@cortexebusiness.com.au> wrote:
 > As far as I can tell, MD5s from the same server can only tell you about
 > download corruption. MD5s from a separate, "trusted" server for a
 > download verify the remote machine's content is correct with respect to
 > the trusted version. This is important for mirroring - if you look at
 > Ant's download page, the zips are sourced from a mirror but the MD5s
 > point to the apache.org version.
 >

Exactly.

One nice thing about maven's repository is that you can automatically 
find the .md5 signature for
any achive file by appending .md5 to it. We really need a trusted 
(https) repository that serves up the checksums. Or they get signed.

-steve

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message