incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 14:59:43 GMT
On 18/09/2008, Hiram Chirino <hiram@hiramchirino.com> wrote:
> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
>
> <wrowe@rowe-clan.net> wrote:
>
> > Similarly, the issue of signature validation is a significant flaw which
>  > I also hope maven addresses even more promptly, and which they are aware
>  > of.  The alternatives are to take down maven until it is secure, or to
>  > continue to populate maven with various released artifacts.  And this too
>  > isn't germane to the question above, which is;
>
>
> The signature validation issue has a simple fix which I have already
>  mentioned earlier.  I'm not sure why folks continue to think it's
>  still a problem.  All the projects need to do is enable a checksum
>  validation plugin, and at least that problem is resolved.
>

Not sure I agree that the checksum plugin solves the problem.

As far as I can tell, all that the plugin does is to detect any
changes to dependencies that occur *after the checksum list is
initially generated*

Unless I'm mistaken, it does not guard against the orignal dependency
already being corrupt, nor does it protect the product itself.

What's to stop the checksum list being corrupted?

>
>  --
>  Regards,
>  Hiram
>
>  Blog: http://hiramchirino.com
>
>  Open Source SOA
>  http://open.iona.com
>
>  ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>  For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message