Maven has a way of signing artifacts and publishing checksums. In fact, it is one of the requirement we stick to in Apache Bigtop (see [1])
Maven has verify plugin for this purpose [2]. [1] https://repo.maven.apache.org/maven2/org/apache/bigtop/itest/itest-common/1.1.0/ [2] https://maven.apache.org/plugins/maven-verifier-plugin/verify-mojo.html Cos On Sat, Jun 04, 2016 at 10:54AM, Russel Winder wrote: > On Sat, 2016-06-04 at 10:53 +0200, jim northrop wrote: > > what does this mean to the avg hacker ? do we need to fix our kit > > anyway ? > > > > For those who download and check signatures, SHA1 and MD5 are > unreliable and provide very weak confidence. > > I am not sure what stance Gradle, Maven, and Ant take on signature > checking, do they do any signature checking at all? > > -- > Russel. > ============================================================================= > Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net > 41 Buckmaster Road m: +44 7770 465 077 xmpp: rus...@winder.org.uk > London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder
signature.asc
Description: Digital signature
