Hi, On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > Since the hash is not security, it's not terribly important, eh?
Hashes are a perfect tool for verifying message integrity. They won't prove origin like signatures do, but verifiable integrity is hardly *not* security. Verifying integrity is what Hiram is trying to achieve with his plugin. I.e. ensuring that the dependencies on the repository (or in transit from the repository to the user) haven't been tampered with. You have a valid concern about how the the upstream developer can trust his dependencies. Hiram has a valid solution to the security of the downstream user who builds a source release (with Maven dependencies) from the upstream developer that he trusts. PS. Should we take this somewhere else than [EMAIL PROTECTED] It's hardly on topic here. BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
