Return-Path: Delivered-To: apmail-ant-dev-archive@www.apache.org Received: (qmail 23819 invoked from network); 21 Oct 2009 20:45:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 21 Oct 2009 20:45:26 -0000 Received: (qmail 76404 invoked by uid 500); 21 Oct 2009 20:45:26 -0000 Delivered-To: apmail-ant-dev-archive@ant.apache.org Received: (qmail 76322 invoked by uid 500); 21 Oct 2009 20:45:26 -0000 Mailing-List: contact dev-help@ant.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Ant Developers List" Reply-To: "Ant Developers List" Delivered-To: mailing list dev@ant.apache.org Received: (qmail 76312 invoked by uid 99); 21 Oct 2009 20:45:26 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Oct 2009 20:45:26 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of rklists@gmail.com designates 209.85.219.224 as permitted sender) Received: from [209.85.219.224] (HELO mail-ew0-f224.google.com) (209.85.219.224) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Oct 2009 20:45:16 +0000 Received: by ewy24 with SMTP id 24so10179494ewy.22 for ; Wed, 21 Oct 2009 13:44:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=xpNxzq6shkv7WlEKzPDKTRrV7QLsHJL2PJRrFow386U=; b=SoQoT3zLuRWYJ9gNWZiXOtA5y+/Cx8dk2MFzleTRIyv0mNeaWEO9kwOiOvXTE0iznf oHtkCFS0/ZMeWsTcD7qRMugwatJGZCAKjOal4D0oZPnWeeamj8TlG//lUFpN6R/vS++X 5Y+tK5H/nKIIUeoIZy31TkZqyONqBIuiZXIS0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=lXQiB2m4CqHP/8c7Un2BjcATA0AA6rGAmQBL1s3EDCWA6Ss2eX7F+FknX7+yxLGd0q 09c+P7KfCNspJOlFfeMkD42NQ2dv6A7YysYRY/CgdmoVDcLN9LMG0/cGJ4bE8AhXpaxH EWX/rmP7D+6ophBGcq+piy09KJ9rOXgLj4YMc= MIME-Version: 1.0 Received: by 10.216.90.196 with SMTP id e46mr3113228wef.194.1256157895513; Wed, 21 Oct 2009 13:44:55 -0700 (PDT) Date: Wed, 21 Oct 2009 16:44:55 -0400 Message-ID: Subject: Digital Signature Verification From: Rohit Sethi To: dev@ant.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Hi all, I wanted to start by thanking you for the amazing work you have put together. Ant is an awesome project and you should be proud for the work you've done to put it together. If you've seen a message like this before it's because I've sent a similar message to the Maven developer mailing list :) I wanted to ask quickly if you've had a chance to read this: http://www.fortify.com/landing/downloadLanding.jsp?path=%2Fpublic%2Ffortify_attacking_the_build.pdf I think supporting an option to automatically verify signatures for remote repositories would be an awesome boon for security. Does this option already exist and I'm just not looking hard enough, or are there plans to develop this feature in a future release? Thanks, -- Rohit Sethi Security Compass http://www.securitycompass.com --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org For additional commands, e-mail: dev-help@ant.apache.org