We do a little bit of sleuthing when resolving these types of issues to make sure the file hasn't been changed, which is why automatic correction isn't implemented. We are working on process to ensure that no new things come in this way. It can only happen today via the old rsync mechanisms and those are deprecated and will be disabled soon anyway.
On Thu, Dec 2, 2010 at 2:45 PM, Wayne Fay <wayne...@gmail.com> wrote: >> I don't think that checksums are for detecting compromised jars. Checksums >> are for checking that a file was transferred correctly, regardless of it >> being compromised or not. So, I also think that all checksums should be >> corrected. > > But how does a bot know that the Jar was uploaded ok into Central? Its > the same problem. The checksum should be generated by the original > owner of the artifact and uploaded alongside it, and any deviations > should be directed back to the owner to resolve. > > Wayne > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
