Re: Upgrade to 9 questions
| От | Craig Ringer |
|---|---|
| Тема | Re: Upgrade to 9 questions |
| Дата | |
| Msg-id | 4CA686F6.2040900@postnewspapers.com.au обсуждение исходный текст |
| Ответ на | Re: Upgrade to 9 questions ("Kevin Grittner" <Kevin.Grittner@wicourts.gov>) |
| Список | pgsql-jdbc |
On 2/10/2010 1:39 AM, Kevin Grittner wrote: > I suspect that if you pull > official jars from the JDBC download page, nobody will find anything > amiss if you keep Maven central current. Frankly, that's more than a little bit worrying. Joe Black Hat could rather trivially insert an exciting little back door into a version they "helpfully" push to Central. PgJDBC doesn't have published md5sums or gpg signatures, so there's no convenient way to verify that the jar being submitted is actually approved by the project. I've been concerned about Maven's apparent lack of cryptographic verification before (and in fact the apparent lack of concern across the entire Java community), but I'd foolishly assumed Central uploads required authorization to push to a given groupId's section. -- Craig Ringer Tech-related writing at http://soapyfrogs.blogspot.com/
В списке pgsql-jdbc по дате отправления: