Hey guys, I created an new maven plugin to help validate the integrity of the dependencies that maven auto downloads from the central repositories. It's located at:
https://svn.apache.org/repos/asf/servicemix/maven-plugins/checksum-maven-plugin/trunk The basic idea is that it is possible that central repositories get hacked and artifacts/dependencies of our builds get replaced with malicious versions. Right now we have no way to easily detect that and we could potential create a release build of SeviceMix which bundles one of those malicious dependencies. In practice this rarely occurs, but for those of us who are paranoid, I've created a Checksum plugin which will detect if someone has tampered with one of our dependencies. Not sure if this is that right time to start implementing it's use in servicemix, but I did want to introduce you guys to to it. See http://hiramchirino.com/blog/2008/07/comments-on-maven-repository-security.html for more background. -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com
