Hi Noel, If the problem your trying to solve with artifact signing is detect and reject malicious artifacts that have been deployed to hacked repository, then there is a simpler fix that is available today. Just use the checksum plugin that I described here:
http://hiramchirino.com/blog/2008/08/new-checksum-plugin.html Basically the plugin helps you maintain a checksum database of all dependencies needed in the build which is part of the project source code. It will validate that all downloaded dependencies match their checksums before running the build. This way you can feel safe that all those random artifacts downloaded by maven are the actual artifacts that the project intended you to use. On Wed, Sep 17, 2008 at 1:19 PM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > Dan, > > It is a policy matter, not a legal one. And enforcing artifact signing > would address this and other crucial, fatal, flaws in Maven's repository > management. > > I still maintain that unless Maven makes swift strides to enforce signing, > the ASF should ban the use of the Maven repository for all ASF projects, and > go so far as to remove all of our artifacts. > > --- Noel > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
