jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vladimir Sitnikov <>
Subject Re: PGP-based dependency verification
Date Tue, 03 Sep 2019 18:36:32 GMT
>but isn't it a bit different in semantics to
>the current checksum based validation?

Exactly. It is a different semantics.
The case here is I do not know the intention behind use of SHA-512 in
JMeter build.

>Do you think this is a problem?

I'm inclined that PGP is good enough.
For instance, JMeter publishes 20 or so jars to Nexus, and we never publish
"the official" SHA-512 checksums.

>but isn't it a bit different in semantics

There's yet another option: we could use both PGP+SHA for verification.
It won't make dependency updates easier, however it would simplify review.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message