On Sunday 01 May 2011 20:10:24 Ian Clarke wrote: > On Sat, Apr 30, 2011 at 3:31 PM, <[email protected]>wrote: > > > The repo poisoning issue is a canard - Maven checks the hashes and sig's > > > > Checking hashes and signatures is hardly a cast-iron guarantee against Maven > repo poisoning. If someone can slip a subtle vulnerability into the source > of any Maven dependency then no amount of hash or signature checking will > detect it. > > Not that I'm opposed to switching to Maven (or perhaps Ivy, given that Maven > pom files are horrible to work with), but let's at least acknowledge risks > where they exist.
IMHO it is acceptable to use precompiled jars as long as they are signed and verified by hash. I have not seen - so far - any clear documentation to the effect that Maven ALWAYS checks signatures or secure hashes.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
