Maven does verify the hash of the libraries being used when it downloads them, and you can specify library versions. The main maven repo managers require asset providers to get an account and tickets to upload assets into the distributed repo.
You can also specify which repo you want to download the assets from in the POM too, and if you want a very high level of control, you can create your own repo and specify that. AFAICT, Fred only requires JUnit to build, so it would be pretty lightweight. On the flip side, you could even use maven to distribute, install and run Freenet. > Right. Does Maven verify signatures/hashes on downloaded files? I guess it > could verify hashes, provided it is always downloading an exact version?
