<[EMAIL PROTECTED]> wrote: > As far as I can tell, MD5s from the same server can only tell you about > download corruption. MD5s from a separate, "trusted" server for a > download verify the remote machine's content is correct with respect to > the trusted version. This is important for mirroring - if you look at > Ant's download page, the zips are sourced from a mirror but the MD5s > point to the apache.org version. >
Exactly.
One nice thing about maven's repository is that you can automatically find the .md5 signature for
any achive file by appending .md5 to it. We really need a trusted (https) repository that serves up the checksums. Or they get signed.
-steve
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
