Checksum validation

[Toby Hobson <to...@btinternet.com>]

    Just a quick question: how can I verify that the code maven downloads from the repo is what I expect. 

  As an example, I have the following in my pom:
                <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring</artifactId>
      <version>1.2.8</version>
    </dependency>
    How can I be sure that the jar maven downloads is the same as the jar on the spring site (sourceforge)? Can I pass a checksum to maven and ask it to validate that the jar is OK?
    Thanks
    Toby
  

Re: Checksum validation

[Wayne Fay <wa...@gmail.com>]

If you don't trust the files being served by Central (ibiblio) and
other Maven repos, you will need to set up a local "Corporate" Repo
and fill it manually with jars you trust, and then instruct your
people to override Central with your own local repo and not allow them
to ever connect their Maven instance to the Internet.

While there is a checksum operation to validate the files downloaded
from Central are not corrupted during the transfer down to your
computer, there is no method I am aware of to trivially check that the
jar in Central is the same as the jar in Sourceforge, for example.

Wayne

On 9/25/06, Toby Hobson <to...@btinternet.com> wrote:
>    Just a quick question: how can I verify that the code maven downloads from the repo is what I expect.
>
>  As an example, I have the following in my pom:
>                <dependency>
>      <groupId>org.springframework</groupId>
>      <artifactId>spring</artifactId>
>      <version>1.2.8</version>
>    </dependency>
>    How can I be sure that the jar maven downloads is the same as the jar on the spring site (sourceforge)? Can I pass a checksum to maven and ask it to validate that the jar is OK?
>    Thanks
>    Toby
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org