Re: validating content in Maven repositories

Conor MacNeill 23 Oct 2004 01:22:53 -0000

As far as I can tell, MD5s from the same server can only tell you about download corruption. MD5s from a separate, "trusted" server for a download verify the remote machine's content is correct with respect to the trusted version. This is important for mirroring - if you look at Ant's download page, the zips are sourced from a mirror but the MD5s point to the apache.org version.

To properly validate a download, it does need to be signed. We currently do that but there is no guaranteed trust relationships set up. Once we get to the question of a CA, you need to include ASF-wide infrastructure people in the discussion. I think there may be some overhead in managing that for the whole ASF

Conor

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: validating content in Maven repositories

Reply via email to