Niclas Hedhman wrote: > On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> There are maven plugins that can validate the checksums of 3rd party >> dependencies. > > Uhhh... Call me stupid, but how can checksum solve anything other than > assuring that the download worked?? AFAIK, Maven does not pick up the > checksums from the "authorative" server and validates it against the > mirrored one. Perhaps that has changed since "back then"... And even > then, how hard can it be to get the same 1024/2048/65536/... bit > checksum by modifying that many 'extra' or 'unused' bits?
You're not stupid[1][2]. Practically speaking, SHA384++ are still "strong enough" but as you point out, unless the checksum values are taken from a trusted[3][4] reference server separate from the distribution server, immune from mitm channels. All of this is simply idle chatter until a repository server is compromised at which point half will be scolding the other half "I told you so". But none of this has anything to do with "Incubator" best practices, unless you want to prohibit incubator projects from assembling releases from Maven. [1] http://en.wikipedia.org/wiki/Md5#Vulnerability [2] http://en.wikipedia.org/wiki/Sha1#Cryptanalysis_and_validation [3] http://www.apache.org/info/20010519-hack.html [4] http://news.cnet.com/8301-1009_3-10023565-83.html --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]