oh, and one more thing.
I dont think security checking of Md5 checksums should be voluntary; it should be on by default even if we really need https-against-apache.org verification to be secure. It should be built in to the maven repository handler, where it is currently stubbed out.
Ideally JAR signing would be even better; even if probably a bit slower to check.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
