-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
(please CC me on a response to this, or it might be another week before I check back :) Nicola earlier pointed me at this thread, and I thought I'd just reassure you on a point... > How do artifacts get into the remote Maven respository > and how are they guaranteed to be the legitimate file? For ASF artifacts, the copy on ibiblio is identical to http://www.apache.org/dist/java-repository/ as we rsync it from there (for the Maven2 repository, we do some processing of the metadata, but the original JAR remains intact). We retain logs on what happens here, and have some additional monitoring, so I'm confident what is on Ibiblio and its mirrors is the same as what is on the ASF hardware. It would be good to make use of the ASF's own mirrors (we can't point people at www.apache.org directly, of course), but we have more work to do there yet before that would be possible. We have similar arrangements with other projects: open symphony, mortbay, osjava to name some. The rest are done manually, but are checked by humans. If this isn't strong enough, as Nicola mentioned, you are welcome to set up your own repository - its very easy to use it instead of, or in addition to, ibiblio. The hardest bit is going to be populating it - in plarticular the required metadata, but you can certainly copy that from ibiblio and give it a once over. Steve Loughran had the idea of hardcoding the sha1 of the artifact into your build file so that as long as you can get the original and trust it, you're protected from future compromise. This isn't flawless, and is probably somewhat tedious for general use... but if you are interested that could be added to at least the first level of dependencies. Anyway, I'm glad to hear you're considering using our ant tasks - if there is anything we can do to help out, please drop us a line at [EMAIL PROTECTED] Cheers, Brett -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Cygwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCcIq2Ob5RoQhMkRMRAh7CAKCV0NMVdDMjrBollIQzMerQS0wnfwCcD3Sc aFOcPOJdApTUGiPLAYo4psA= =wlZY -----END PGP SIGNATURE-----
