We are now looking at a timescale of lateish summer for Ant1.7, and the <libraries> task will ship, with a fair amount of todo items associated with it : http://wiki.apache.org/ant/Ant17_2fPlanning
<jarssigned> policy to verify that jars are signed (for private repostories) <md5verify> verify .md5 files <apachesigned> to use whatever our apache signed policy is going to be +offline handling with a -offline flag and related things. Now is the time to do any restructuring of the repository layout, better mirroring, better security, before many more people start relying on the existing stuff. What if we add an XML file of security info next to each artifact, this file contains different security signatures all in one place <security> <signatory> <name>apache</name> <publiccert>....</publiccert> <signings> <signing> <name>md5</name> <date>2005-04-12</data> <data>05ff3b3a1</data> //MD5 checksum <signature> ... </signature> //MD5 date+date as signed by the pki </signing> <signing> <name>GPG</name> .... </signing> </signings> </signatory> </security> So we can have multiple, different signings by the same public-key defined entity, we use signed datestamps to indicate that the files were signed when the certs were valid (i.e. it is not an error to verify something against an expired cert. as long as the cert was valid at signing time)., new key mechanisms/certs can be added later without adding new files to the system, and one get of artifact.security is enough to return *all* the security information. Java stuff could be signed with signed MD5 and/or SHA1; using a keygen generated certificate that we (apache) indicate is valid (by way of GPG sigs), and include in the Ant/Maven distros. GPG security could be included too, but wouldnt be used for out the box validation as it aint built into the Java runtime. Native code can be signed with GPG inline. What do people think? <md5signature>44ff34...</md5sig </signing> </signatory> </signing>