On Sat, Apr 30, 2011 at 3:31 PM, <freenet.10.technomation at recursor.net>wrote:
> The repo poisoning issue is a canard - Maven checks the hashes and sig's > Checking hashes and signatures is hardly a cast-iron guarantee against Maven repo poisoning. If someone can slip a subtle vulnerability into the source of any Maven dependency then no amount of hash or signature checking will detect it. Not that I'm opposed to switching to Maven (or perhaps Ivy, given that Maven pom files are horrible to work with), but let's at least acknowledge risks where they exist. Ian. -- Ian Clarke Personal blog: http://blog.locut.us/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20110501/2295ba1f/attachment.html>
