groovy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Boudnik <...@apache.org>
Subject Re: Release Apache Groovy 2.4.7
Date Sun, 05 Jun 2016 18:22:34 GMT
Maven has a way of signing artifacts and publishing checksums. In fact, it is
one of the requirement we stick to in Apache Bigtop (see [1])

Maven has verify plugin for this purpose [2].

[1] https://repo.maven.apache.org/maven2/org/apache/bigtop/itest/itest-common/1.1.0/
[2] https://maven.apache.org/plugins/maven-verifier-plugin/verify-mojo.html

Cos

On Sat, Jun 04, 2016 at 10:54AM, Russel Winder wrote:
> On Sat, 2016-06-04 at 10:53 +0200, jim northrop wrote:
> > what does this mean to the avg hacker ? do we need to fix our kit
> > anyway ?
> > 
> 
> For those who download and check signatures, SHA1 and MD5 are
> unreliable and provide very weak confidence.
> 
> I am not sure what stance Gradle, Maven, and Ant take on signature
> checking, do they do any signature checking at all?
> 
> -- 
> Russel.
> =============================================================================
> Dr Russel Winder      t: +44 20 7585 2200   voip: sip:russel.winder@ekiga.net
> 41 Buckmaster Road    m: +44 7770 465 077   xmpp: russel@winder.org.uk
> London SW11 1EN, UK   w: www.russel.org.uk  skype: russel_winder



Mime
View raw message