Not to imply Scott as anything but a most trusted developer... but how do you know Scott hasn't gone on holidays and I'm not forging his emails + jars?! (Obviously if someone can see him in their office, then this isn't true, but work with me here!)
As Maven becomes more popular it also becomes a target for crackers and the like. Would it not be a good idea to consider signing the jar files to prevent a compromise of ibiblio.org from causing some serious damage to a lot of projects? It's not unimaginable that trojan code could get into repository (as witnessed by BSD crack (which was foiled by signing!) of 6 months ago if I'm remembering correctly). I'd hate to see any clown lawyers try to argue failure of duty of care against Maven / Jakarta / Apache (not-with-standing the disclaimer that an end user may not read) "Solution" I.e. Create a cert for Maven, and then have Maven only accept Maven signed jars unless options were set (to allow non Maven signers, unsigned jars etc). Maven would have to be told to trust the CA cert (if it were a snakeoil one), but that isn't a huge issue. Individual trusted developers could also be issued with their own certs from this. (I haven't been very explicit here as I don't know what resources jakarta already has along these lines / I haven't truly thought it through yet) In the same vein, perhaps submission of jars should be made more rigorous as if a bad jar is injected into the signing, no amount of security after the fact will help. Just some thoughts, Ben Jason van Zyl wrote: >On Wed, 2002-10-02 at 00:20, Scott Eade wrote: > > >>Can someone please put torque-3.0-b4.jar on ibiblio. >> >> > >Send me the jar you want me to put up and I will. > > > >>Thanks, >> >>Scott >>-- >>Scott Eade >>Backstage Technologies Pty. Ltd. >>http://www.backstagetech.com.au >> >> >> >>-- >>To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> >> >> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
