On Sat, Apr 30, 2011 at 3:31 PM, <[email protected]>wrote:
> The repo poisoning issue is a canard - Maven checks the hashes and sig's > Checking hashes and signatures is hardly a cast-iron guarantee against Maven repo poisoning. If someone can slip a subtle vulnerability into the source of any Maven dependency then no amount of hash or signature checking will detect it. Not that I'm opposed to switching to Maven (or perhaps Ivy, given that Maven pom files are horrible to work with), but let's at least acknowledge risks where they exist. Ian. -- Ian Clarke Personal blog: http://blog.locut.us/
_______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
