BTW, ----- Original Message ----- ... >> >> This is already part of the current process. The signatures are in > download_external_dependencies.pl. The Central Maven Repository uses these as > well. >> > > Those are MD5 hashes, not signatures. MD5 has been broken since 1996: > > http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities >
We can simply replace MD5 with SHA256 (Apache-Extras generates SHA1). Pedro.
