On 31/03/11 04:41, freenet.10.technomation at recursor.net wrote: > Maven does verify the hash of the libraries being used when it downloads > them, and you can specify library versions. The main maven repo managers > require asset providers to get an account and tickets to upload assets into > the distributed repo. >
Could you point me to some official maven documentation that verifies this? I tried to find some but couldn't, and even found stuff that contradicts it. http://docs.codehaus.org/display/MAVEN/Repository+Security is the latest info I can find, which only says "it was being worked on", not the current status. > You can also specify which repo you want to download the assets from in the > POM too, and if you want a very high level of control, you can create your > own repo and specify that. AFAICT, Fred only requires JUnit to build, so it > would be pretty lightweight. > Actually, it requires a bunch of other libraries. See contrib-staging/master for details. > On the flip side, you could even use maven to distribute, install and run > Freenet. > >> Right. Does Maven verify signatures/hashes on downloaded files? I guess it >> could verify hashes, provided it is always downloading an exact version? > -- GPG: 4096R/5FBBDBCE
