Just to clarify things, the artefact published on the apache maven repository are signed (well, to be exact, most are signed. See [1] for the current status)
However, maven doesn't [yet] validate the signature when downloading the artefacts (ivy neither). See [2] [1] http://people.apache.org/~henkp/repo/ [2] http://jira.codehaus.org/browse/MNG-2477 2008/9/17 Noel J. Bergman <[EMAIL PROTECTED]>: > Dan, > > It is a policy matter, not a legal one. And enforcing artifact signing > would address this and other crucial, fatal, flaws in Maven's repository > management. > > I still maintain that unless Maven makes swift strides to enforce signing, > the ASF should ban the use of the Maven repository for all ASF projects, and > go so far as to remove all of our artifacts. > > --- Noel > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Gilles Scokart --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
