www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <steve.lough...@gmail.com>
Subject auditing the artifacts
Date Thu, 15 Apr 2010 08:40:59 GMT
I'm wondering what the best way to audit *.jar and *.pom is to make
sure they are all the same as they were before someone malicious got
onto some of the asf servers last week. I'm also curious about whether
there's a way to see if any mirror server is serving up bad stuff.

Both M2 and Ivy now check the checksums, correct? So all I'd need to
do is pull down all the checksums from any public repository, and
compare them against a list of gold SHA1 values, and then I'd see if
there is a bad value -no need to D/L the artifacts themselves?

If so, does anyone have a list of gold/signed SHA1 checksums for both
binary and metadata artifacts that I could start with?

View raw message