Noel J. Bergman wrote:
The jar distributed by SUN haa signature informations and different
Manifest (they declare impl: 1.4, specification 1.3).
The jar found on ibiblio declare 1.4 for both specification and
implementation.
If no problem arise I would stick to the ibiblio version
Huh? The author's version and a library's don't agree, and you want the one
from the library? Why? Why would you trust the library? I certainly
don't. We don't know the provenance of the binary, we don't know that it
hasn't been corrupted, tainted, etc.
I agree this is ridicolous, but Sun seems to talk about Javamail 1.4
specification all over the world, so this seems a problem in the Sun's
package.
Javamail 1.4 implements the 1.4 specification, not the 1.3
specification: in fact it also is the reference implementation for the
1.4 specification, isn't it?
Furthermore authenticity and trust are different things: once I know
that the package is authentic and from sun I don't trust it more than
the binary I can build by my own ;-)
I'd check with Bill to find out why there is a discrepency.
Thank you.
This is why we require that all release files be signed, so that people can
be assured that they are getting what we have released.
if we ever will move to [a] build system where we automatically
download jars we'll use ibiblio, so let's test them.
I would be against automatic downloading that does not verify the
authenticity of the downloaded artifacts.
--- Noel
Does any build tool do this?
I know they check the hash, but this doesn't tell you anything about
authenticity.
Btw I think that automatic download the way maven2 and similar tools do
is a good thing: if you don't want to use it, or if you want to run
authentication checks after the download the tools do not block you.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
