> I don't think that checksums are for detecting compromised jars. Checksums > are for checking that a file was transferred correctly, regardless of it > being compromised or not. So, I also think that all checksums should be > corrected.
But how does a bot know that the Jar was uploaded ok into Central? Its the same problem. The checksum should be generated by the original owner of the artifact and uploaded alongside it, and any deviations should be directed back to the owner to resolve. Wayne --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org