This is a a good idea, and a hash it would serve roughly as good as
specifying the key i think, it would maybe even be better since it's
easier to generate a hash.
It might be wise to plan for the future, as what ever hash algorithm
that is considered best practice today will be broken and useless at
some point in the future.
maybe something like this:
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<signed-by algoritm="sha256">XXX</signed-by>
</dependency>
And having the signed-by element be legal to specify 0-N times, so that
it's possible to add multiple versions of it but not required.
I understand that .md5 files isn't used to verify that the downloaded
artifact isn't controlled by an attacker, but at least I use the .asc
files for that. Do you mean that they also have some other purpose?
best regards
Alexander Kjäll
On 05. des. 2016 23:10, Bernd Eckenfels wrote:
Having artifact checksums (hashes not signatures) in POM dependency
declarations would be cool, but that is not what .md5 or .asc is used for.
Gruss
Bernd
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
