incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: status of PGP support in Maven
Date Tue, 07 Oct 2008 13:21:33 GMT
On Mon, Oct 6, 2008 at 11:39 PM, Niclas Hedhman <niclas@hedhman.org> wrote:
> On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <hiram@hiramchirino.com> wrote:
>
>> There are maven plugins that can validate the checksums of 3rd party
>> dependencies.
>
> Uhhh... Call me stupid, but how can checksum solve anything other than
> assuring that the download worked?? AFAIK, Maven does not pick up the
> checksums from the "authorative" server and validates it against the
> mirrored one. Perhaps that has changed since "back then"... And even
> then, how hard can it be to get the same 1024/2048/65536/... bit
> checksum by modifying that many 'extra' or 'unused' bits?
>

Because we would be including the checksum in the source code of the
project that needs the dependency.  I guess I failed to say that the
checksum needs to a cryptographic checksum and not one of your CRC
variates.  That way it's computationally difficult to figure out which
bits you need to pad to get the same checksum.

So like I said, once you start doing that maven is about as secure as
any other build tool that we currently use at the ASF.

>
> Cheers
> Niclas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>



-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message