On Wednesday 23 Mar 2011 17:07:04 David ‘Bombe’ Roden wrote: > On Monday 21 March 2011 00:32:33 [email protected] wrote: > > > Addressing security, Maven is a build system, it will not put > > anything in your distribution that is not specified by you (even if it > > does need to download a whole bunch of files into its repo to do so), so > > security should not an issue. > > I think toad was originally referring to that maven does not verify the > downloaded archives in any way, so some Mallory could easily cause a Fred > build to be poisoned.
Right. Does Maven verify signatures/hashes on downloaded files? I guess it could verify hashes, provided it is always downloading an exact version? > > (Other than that I’d really love to see a mavenized version of Fred, I’ve > come > to like Maven quite a bit over the last year or two.)
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
