Hi Jaroslav, On Thu, Dec 8, 2016 at 1:50 PM, Jaroslav Tulach <jaroslav.tul...@oracle.com> wrote: > ...if we keep the digests in the source code (as NetBeans do currently), we > make them "absolutely trusted". Then we can continue to download from Maven > central as we do now and everything remains kosher....
Ok - I'm clueless about how that works for NetBeans so not sure what "in the source code" means here. I assume the use case is downloading modules from a NetBeans instance running on my own computer, where does that instance get the digests then? Hardcoded within itself? Via HTTP from the source code repository? The latter wouldn't be acceptable in an Apache context, the distribution channel needs to be agreed upon with ASF infra. > ...What digest to use then? SHA1? Or connect to the Maven repositories via > HTTPS? I'm not a crypto specialist but I think SHA-256 is a reasonable choice nowadays. -Bertrand
