I've been reading the security proposal for the maven2 repository @

One thing I'd like to see is *every* JAR signed w/ certs under a
single CA, say the Maven one. That way, if I go against a public
maven2 repository for JAR download, I can check that it is signed.

This does add a side effect to every JAR -and is JAR only- but offers
the following features

-integrates w/ the Java security stuff, esp. secure classloaders
-one GET includes security info
-security info propagates. With maven and ant support, the
repositories could soon become the core means of picking up JAR Files.
Which means that gradually the JAR files everywhere get signed.

We do need to make it easy to sign stuff. 

If we can make progress on this, we can get the relevant CA info and
layout logic into the next ant release, so Ant will be set up to
*only* work with the maven2 layout. That would be nice; less legacy


Reply via email to