Warren MacEvoy created MNG-6367:
------------------------------------
Summary: maven installation insecure
Key: MNG-6367
URL: https://issues.apache.org/jira/browse/MNG-6367
Project: Maven
Issue Type: Bug
Components: Artifacts and Repositories, Bootstrap & Build,
Documentation: Guides
Affects Versions: 3.5.2
Reporter: Warren MacEvoy
The recommended install suggests using an insecure mirror, and then provides
either an md5 sum (completely insecure, broken a thousand years ago), or a gpg
signature (99% of installers will give up on following these directions, since
they provide incomplete instructions on how to actually do it, and it is not
easy to do).
Please provide a SHA256 sum with your distribution! Please remove the MD5 sum
which is dangerous (provides a false sense of security). Please provide a
complete recipe for verifying a signature using GnuPG
This bug affects all versions
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)