You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@servicemix.apache.org by Hiram Chirino <hi...@hiramchirino.com> on 2008/08/02 17:10:41 UTC

New Checksum Plugin

Hey guys,

I created an new maven plugin to help validate the integrity of the
dependencies that maven auto downloads from the central repositories.
It's located at:

https://svn.apache.org/repos/asf/servicemix/maven-plugins/checksum-maven-plugin/trunk

The basic idea is that it is possible that central repositories get
hacked and artifacts/dependencies of our builds get replaced with
malicious versions.  Right now we have no way to easily detect that
and we could potential create a release build of SeviceMix which
bundles one of those malicious dependencies.  In practice this rarely
occurs, but for those of us who are paranoid, I've created a Checksum
plugin which will detect if someone has tampered with one of our
dependencies.

Not sure if this is that right time to start implementing it's use in
servicemix, but I did want to introduce you guys to to it. See
http://hiramchirino.com/blog/2008/07/comments-on-maven-repository-security.html
for more background.

-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com