> On Jan 1, 2016, at 21:31, Toby Crawley <t...@tcrawley.org> wrote: > > But if we had a regular > process that crawled all of the mirrors and the canonical repo to > verify that the checksums every artifact are identical, this could > actually improve security, since we could detect if any checksum > had been changed
I would caution against this approach. An attacker could easily target specific organizations, serving compromised artifacts only to particular IP ranges. A periodic verification process wouldn't detect this[1], and might lend a false sense of security that lulls people into putting off real security measures. [1] Unless run by every organization that uses lein, and even then it still might not catch anything if the attackers are clever. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.