>We don't have to. We can simply mandate that every ASF project sign their >artifacts and charge the Maven PMC with enforcing it.
And are you going to lobby FireFox and Microsoft to enforce in their browsers? Seriously why is this Maven's problem simply because it downloads it when you can't enforce this in any other method that people download it? >On the other hand, imagine the fun when >someone puts a nice bit of malware into the security-free zone known as the >Maven repository. Security Free? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]