On Mon, Oct 6, 2008 at 11:39 PM, Niclas Hedhman <[EMAIL PROTECTED]> wrote: > On Mon, Oct 6, 2008 at 10:08 PM, Hiram Chirino <[EMAIL PROTECTED]> wrote: > >> There are maven plugins that can validate the checksums of 3rd party >> dependencies. > > Uhhh... Call me stupid, but how can checksum solve anything other than > assuring that the download worked?? AFAIK, Maven does not pick up the > checksums from the "authorative" server and validates it against the > mirrored one. Perhaps that has changed since "back then"... And even > then, how hard can it be to get the same 1024/2048/65536/... bit > checksum by modifying that many 'extra' or 'unused' bits? >
Because we would be including the checksum in the source code of the project that needs the dependency. I guess I failed to say that the checksum needs to a cryptographic checksum and not one of your CRC variates. That way it's computationally difficult to figure out which bits you need to pad to get the same checksum. So like I said, once you start doing that maven is about as secure as any other build tool that we currently use at the ASF. > > Cheers > Niclas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
