On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote: > On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr. > > <[EMAIL PROTECTED]> wrote: > > > Similarly, the issue of signature validation is a significant flaw which > > I also hope maven addresses even more promptly, and which they are aware > > of. The alternatives are to take down maven until it is secure, or to > > continue to populate maven with various released artifacts. And this too > > isn't germane to the question above, which is; > > > The signature validation issue has a simple fix which I have already > mentioned earlier. I'm not sure why folks continue to think it's > still a problem. All the projects need to do is enable a checksum > validation plugin, and at least that problem is resolved. >
Not sure I agree that the checksum plugin solves the problem. As far as I can tell, all that the plugin does is to detect any changes to dependencies that occur *after the checksum list is initially generated* Unless I'm mistaken, it does not guard against the orignal dependency already being corrupt, nor does it protect the product itself. What's to stop the checksum list being corrupted? > > -- > Regards, > Hiram > > Blog: http://hiramchirino.com > > Open Source SOA > http://open.iona.com > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
