Hi, On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > Not if there is a man in the middle attack. If you didn't notice the > recent noise w.r.t. DNS pollution, that's the very point of that vector. > Had it been exploited, tens of thousands of download users could have > been presented with inauthentic maven artifacts, complete with their > freshly corresponding checksums. Welcome to the internet.
Using Hiram's plugin the checksums are already stored in the project that you're building and which you typically got either by checking it out of svn or by downloading a source release, both of which are separate from the Maven repository. Once you've confident that the sources you have are not compromised, the included checksums will verify that the dependencies that were downloaded by Maven are also valid (i.e. the same binaries that the original developer used). The checksums are _not_ downloaded from the Maven repository. BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
