On Mon, Mar 24, 2014 at 8:06 PM, Stephen Connolly < [email protected]> wrote:
> I see the checksums then as being another potential side artifact... No > need for modelVersion 5.0.0 > I see it differently: the checksum validates the GAV coordinates. "I mean 'com.example.foo:foo:1.0', specifically verify that it matches this signature 'sha1:1234567890abcdef'. For example, this enables me to check if a different version of an artefact was uploaded to the same GAV than I expected (and reportedly the original author too). A plugin right now could capture them and deploy to repo, and you could > have same plugin verify the resolved dependencies against the same file. > This assumes the whole chain of parties is to be trusted. That nobody will try to side-load a version from a different repository. I find the idea of adding a checksum to a dependency interesting. While I don't care for the extra fields in the POM, it opens a better venue of vetting the dependencies. Martijn
