On Mon, Mar 24, 2014 at 7:29 PM, Robert Scholte <[email protected]>wrote:
> I have to admit I have never used it, but aren't the -c / -C Maven > commandline options meant for this? > Only if you trust the repository where you get the checksums from. The idea advocated by Baptiste is that as a project owner you specify not only which GAV you require but also the checksum of a dependency: this way you can retrieve the checksum from the original project and make sure everybody gets the 'official' version. This also ensures that nobody can tamper with uploading a new version to a repository under the same GAV. Now probably this will not be very practical to introduce on a large project (try to find the correct signatures for each dependency in for example a standard Maven build for a hello world application), but for some venues this might actually make sense-where security and accountability is paramount. Martijn
