On Wednesday 23 Mar 2011 17:07:04 David ?Bombe? Roden wrote: > On Monday 21 March 2011 00:32:33 martin at technomation.net wrote: > > > Addressing security, Maven is a build system, it will not put > > anything in your distribution that is not specified by you (even if it > > does need to download a whole bunch of files into its repo to do so), so > > security should not an issue. > > I think toad was originally referring to that maven does not verify the > downloaded archives in any way, so some Mallory could easily cause a Fred > build to be poisoned.
Right. Does Maven verify signatures/hashes on downloaded files? I guess it could verify hashes, provided it is always downloading an exact version? > > (Other than that I?d really love to see a mavenized version of Fred, I?ve > come > to like Maven quite a bit over the last year or two.) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20110323/3967fe99/attachment.pgp>
