maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martijn Dashorst <>
Subject Re: Model Version 5.0.0
Date Mon, 24 Mar 2014 18:45:21 GMT
On Mon, Mar 24, 2014 at 7:29 PM, Robert Scholte <>wrote:

> I have to admit I have never used it, but aren't the -c / -C Maven
> commandline options meant for this?

Only if you trust the repository where you get the checksums from. The idea
advocated by Baptiste is that as a project owner you specify not only which
GAV you require but also the checksum of a dependency: this way you can
retrieve the checksum from the original project and make sure everybody
gets the 'official' version. This also ensures that nobody can tamper with
uploading a new version to a repository under the same GAV.

Now probably this will not be very practical to introduce on a large
project (try to find the correct signatures for each dependency in for
example a standard Maven build for a hello world application), but for some
venues this might actually make sense-where security and accountability is


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message