www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <steve.lough...@gmail.com>
Subject Ant and repositories
Date Tue, 02 Nov 2004 11:51:57 GMT

I'm Steve Loughran of the Ant project; Nicolaken said I should get on
this mail list

1. I have just added to Ant CVS_HEAD a task to get libraries from a
repository; built in support is for maven layouts, though others are

2. I worry about the security aspects. I dont think it is enough to
verify the MD5 signatures, because they are served up on the same
(http) server.

What should I be doing for verifying remote downloads are the intended
ones, or what changes are planned in the near future that our task
should ready itself for?

Note that the task is focused on JAR/WAR/Ear archives only, so we can
do full jar signature checking if that is felt the best solution. And
we can ship with the public key of an Apache/Maven/Gump CA to verify
signatures. Indeed, the fact that nothing has shipped at all yet (and
wont till 1.7 alpha) means that we have time to get things right here


View raw message