On 18/09/2008, Jukka Zitting <[EMAIL PROTECTED]> wrote: > Hi, > > On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr. > > <[EMAIL PROTECTED]> wrote: > > > Not if there is a man in the middle attack. If you didn't notice the > > recent noise w.r.t. DNS pollution, that's the very point of that vector. > > Had it been exploited, tens of thousands of download users could have > > been presented with inauthentic maven artifacts, complete with their > > freshly corresponding checksums. Welcome to the internet. > > > Using Hiram's plugin the checksums are already stored in the project > that you're building and which you typically got either by checking it > out of svn or by downloading a source release, both of which are > separate from the Maven repository. > > Once you've confident that the sources you have are not compromised, > the included checksums will verify that the dependencies that were > downloaded by Maven are also valid (i.e. the same binaries that the > original developer used). > > The checksums are _not_ downloaded from the Maven repository. >
So where are they stored? > BR, > > > Jukka Zitting > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
