On Saturday 05 February 2005 03:42, Henri Yandell wrote: > On Wed, 12 Jan 2005 21:01:41 +0000, Steve Loughran > > <[EMAIL PROTECTED]> wrote: > > We do need to make it easy to sign stuff. > > I'm new to the list, so I could be missing a lot of context. > > I think the most important thing to do is to make it easy to check the > signature of stuff.
Agree. > I know this will mainly be an issue for Maven/Ant/whatever when they > download the stuff, but repository could maintain a tight Java > implementation that can be used to check things automatically? I am toying with the idea that there is a difference between authorative and non-authorative repositories, where non-authorative ones can off-load the central repositories, while the client still checks the checksum and signatures at the authorative one. The authorative one needs a known server certificate, where as the mirrors can be plain ones. Once that is established properly, security policies can be issued against the content and its signatories, instead of the codebase locations. Just my thoughts, and not too well founded in actual code. Cheers Niclas