Lets assume that I am writing a task to download jar files from remote places. No more specifics, as I will only get feature requests :)
Now lets assume that the maven repository is an obvious place of stuff, and one class of repository to work with. Maven repositories have (a) the jar files (b) md5 signatures (e.g. http://www.ibiblio.org/maven/ant/jars/ant-1.4.1.jar.md5 -> 4dd8dfba17f9567f5a4dcc4005c7d6a7 ) So to verify stuff I could fetch the jars and then the md5 signatures & make sure the jar matches the signature. But what good does this do? If the server is subverted, the md5 checksums are corruptible too! The only way to secure it is one of 1. checksums to live on an http server you trust 2. things to be signed by a CA you trust. There must be something I am missing here. Also, can/should we declare ourselves a CA and sign all our ant jars. -steve --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
