Hello, I'm Steve Loughran of the Ant project; Nicolaken said I should get on this mail list
1. I have just added to Ant CVS_HEAD a task to get libraries from a repository; built in support is for maven layouts, though others are possible. 2. I worry about the security aspects. I dont think it is enough to verify the MD5 signatures, because they are served up on the same (http) server. What should I be doing for verifying remote downloads are the intended ones, or what changes are planned in the near future that our task should ready itself for? Note that the task is focused on JAR/WAR/Ear archives only, so we can do full jar signature checking if that is felt the best solution. And we can ship with the public key of an Apache/Maven/Gump CA to verify signatures. Indeed, the fact that nothing has shipped at all yet (and wont till 1.7 alpha) means that we have time to get things right here -Steve