How do artifacts get into the remote Maven respository and how are they guaranteed to be the legitimate file?
Surely this concern has been discussed before, but i cannot find the answer. The Maven web pages just say something like: create a Jira issue and tell us what you want to add. That doesn't sound very rigorous. With the ASF mirror system, we the Cocoon committers/PMC sign the release and create the MD5 sum. So then people who download the products can know for certain. http://maven.apache.org/using/repositories.html http://maven.apache.org/reference/repository-upload.html --David