On Sunday 01 May 2011 20:10:24 Ian Clarke wrote: > On Sat, Apr 30, 2011 at 3:31 PM, <freenet.10.technomation at > recursor.net>wrote: > > > The repo poisoning issue is a canard - Maven checks the hashes and sig's > > > > Checking hashes and signatures is hardly a cast-iron guarantee against Maven > repo poisoning. If someone can slip a subtle vulnerability into the source > of any Maven dependency then no amount of hash or signature checking will > detect it. > > Not that I'm opposed to switching to Maven (or perhaps Ivy, given that Maven > pom files are horrible to work with), but let's at least acknowledge risks > where they exist.
IMHO it is acceptable to use precompiled jars as long as they are signed and verified by hash. I have not seen - so far - any clear documentation to the effect that Maven ALWAYS checks signatures or secure hashes. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20110506/2f5405f3/attachment.pgp>
