I don't think that checksums are for detecting compromised jars. Checksums are for checking that a file was transferred correctly, regardless of it being compromised or not. So, I also think that all checksums should be corrected. However, pgp signatures are for detecting compromised files.
/Anders On Thu, Dec 2, 2010 at 17:58, Wayne Fay <wayne...@gmail.com> wrote: > > Furthermore, it would seem that automating this process would be the > answer, as > > it probably wouldn't be difficult to crawl the repository and check > checksums and > > either (a) add them where they are missing or (b) fix them where they are > there > > and are incorrect. > > I don't think you want to automate fixing them, only detecting the > problems. Because if/when an honestly bad (or compromised/hacked) jar > lands in Central, you want to know about it, and not just assume it is > correct and use that MD5, right? > > Wayne > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
