2010/1/5 Martin Cooper <mart...@apache.org>: > Do not do this. If you download the files, you have no way of knowing > if they are the same ones you put there. They could have been > corrupted, deliberately or otherwise, in the interim, and without > signatures you cannot verify what you have (which is why we want the > signatures in the first place). When you then sign those downloaded > files, you could be signing anything. Think of it as signing a blank > check and then giving that check to a stranger. Not something you want > to be doing.
I still have copy of those files, so I don't have to download them. I will sign them, generate hashes and upload to repo. Regards -- Lukasz http://www.lenart.org.pl/ http://javarsovia.pl --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
