Brett Porter added a comment - 19/Oct/06 01:26 AM

Brett Porter added a comment - 19/Oct/06 01:26 AM one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested

Stefano Bagnara added a comment - 28/Apr/07 08:00 AM

Stefano Bagnara added a comment - 28/Apr/07 08:00 AM Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact? We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures. A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)

Brett Porter added a comment - 07/Jul/08 08:21 PM

Brett Porter added a comment - 07/Jul/08 08:21 PM the page was moved to http://docs.codehaus.org/display/MAVEN/Repository+Security

Brett Porter added a comment - 05/Aug/08 11:41 AM

Brett Porter added a comment - 05/Aug/08 11:41 AM a rough look at required checksums - not effective as it needs to be merged through the resolution tree