Warren MacEvoy created MNG-6367:
------------------------------------

             Summary: maven installation insecure
                 Key: MNG-6367
                 URL: https://issues.apache.org/jira/browse/MNG-6367
             Project: Maven
          Issue Type: Bug
          Components: Artifacts and Repositories, Bootstrap & Build, 
Documentation: Guides
    Affects Versions: 3.5.2
            Reporter:  Warren MacEvoy


The recommended install suggests using an insecure mirror, and then provides 
either an md5 sum (completely insecure, broken a thousand years ago), or a gpg 
signature (99% of installers will give up on following these directions, since 
they provide incomplete instructions on how to actually do it, and it is not 
easy to do).

Please provide a SHA256 sum with your distribution!   Please remove the MD5 sum 
which is dangerous (provides a false sense of security).  Please provide a 
complete recipe for verifying a signature using GnuPG 

This bug affects all versions

 

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to