On 18/09/2008, Jukka Zitting <jukka.zitting@gmail.com> wrote:
> Hi,
>
> On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
>
> <wrowe@rowe-clan.net> wrote:
>
> > Not if there is a man in the middle attack. If you didn't notice the
> > recent noise w.r.t. DNS pollution, that's the very point of that vector.
> > Had it been exploited, tens of thousands of download users could have
> > been presented with inauthentic maven artifacts, complete with their
> > freshly corresponding checksums. Welcome to the internet.
>
>
> Using Hiram's plugin the checksums are already stored in the project
> that you're building and which you typically got either by checking it
> out of svn or by downloading a source release, both of which are
> separate from the Maven repository.
>
> Once you've confident that the sources you have are not compromised,
> the included checksums will verify that the dependencies that were
> downloaded by Maven are also valid (i.e. the same binaries that the
> original developer used).
>
> The checksums are _not_ downloaded from the Maven repository.
>
So where are they stored?
> BR,
>
>
> Jukka Zitting
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
|