I remember that wagon, at least 1.0-beta-4, strips everything after " *"
in the signature file including, so it should already be implemented on
the reading side. Wagon team - please correct me if I am wrong - I did
not check out the wagon source.
So we'll have to add it to the writing side of wagon code and I'll add
this to Mercury.
Question is - should verification fail if file name does not match? In
the light of the latest event - CCC generating MD5 collisions - it's
kind of pointless.
Overall - MD5 and SHA1 can only check for non-intentional data
modifications, they don't address non-repudiation problems. And when was
it last time you data was crippled during transfer? It does not happen
any more..
That is why we should switch to PGP signatures as soon as possible -
Mercury and Mercury Ant provide full support for that :)
Thanks,
Oleg
Tamás Cservenák wrote:
Not to mention, that there is already a lot of files generated by md5sum and
sha1sum apps on central:
http://repo2.maven.org/maven2/log4j/log4j/maven-metadata.xml.md5
http://repo2.maven.org/maven2/log4j/log4j/maven-metadata.xml.sha1
But in the above cases, the path is obviously misleading.
~t~
On Fri, Jan 2, 2009 at 5:36 PM, Benjamin Bentmann <[email protected]
wrote:
Brian Fox wrote:
I'm -1 to making a new format
Just to make sure we all have the same understanding: The proposed format
is not "new" as in "yet another checksum format". It's an already existing
format used by the md5sum tool (compare the format attribute of Ant's
checksum task [0]).
Benjamin
[0] http://ant.apache.org/manual/CoreTasks/checksum.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
