incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Incubator Maven repo [WAS Re: [VOTE] [POLICY] Allow extra release distribution channels like the central Maven repository]
Date Thu, 18 Sep 2008 19:08:27 GMT
On 18/09/2008, Jukka Zitting <jukka.zitting@gmail.com> wrote:
> Hi,
>
>  On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
>
> <wrowe@rowe-clan.net> wrote:
>
> > Not if there is a man in the middle attack.  If you didn't notice the
>  > recent noise w.r.t. DNS pollution, that's the very point of that vector.
>  > Had it been exploited, tens of thousands of download users could have
>  > been presented with inauthentic maven artifacts, complete with their
>  > freshly corresponding checksums.  Welcome to the internet.
>
>
> Using Hiram's plugin the checksums are already stored in the project
>  that you're building and which you typically got either by checking it
>  out of svn or by downloading a source release, both of which are
>  separate from the Maven repository.
>
>  Once you've confident that the sources you have are not compromised,
>  the included checksums will verify that the dependencies that were
>  downloaded by Maven are also valid (i.e. the same binaries that the
>  original developer used).
>
>  The checksums are _not_ downloaded from the Maven repository.
>

So where are they stored?

>  BR,
>
>
>  Jukka Zitting
>
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>  For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message