>but isn't it a bit different in semantics to >the current checksum based validation?
Exactly. It is a different semantics. The case here is I do not know the intention behind use of SHA-512 in JMeter build. >Do you think this is a problem? I'm inclined that PGP is good enough. For instance, JMeter publishes 20 or so jars to Nexus, and we never publish "the official" SHA-512 checksums. >but isn't it a bit different in semantics There's yet another option: we could use both PGP+SHA for verification. It won't make dependency updates easier, however it would simplify review. Vladimir
