On 2/10/2010 1:39 AM, Kevin Grittner wrote:
> I suspect that if you pull
> official jars from the JDBC download page, nobody will find anything
> amiss if you keep Maven central current.
Frankly, that's more than a little bit worrying. Joe Black Hat could
rather trivially insert an exciting little back door into a version they
"helpfully" push to Central. PgJDBC doesn't have published md5sums or
gpg signatures, so there's no convenient way to verify that the jar
being submitted is actually approved by the project.
I've been concerned about Maven's apparent lack of cryptographic
verification before (and in fact the apparent lack of concern across the
entire Java community), but I'd foolishly assumed Central uploads
required authorization to push to a given groupId's section.
--
Craig Ringer
Tech-related writing at http://soapyfrogs.blogspot.com/
