[slf4j-user] Signatures for verifying Slf4j

Joern Huxhorn jhuxhorn at googlemail.com
Fri May 7 10:50:12 CEST 2010


One solution could be the use of signed tags for SLF4J and Logback.

That way it would be possible to pull the git repository, check the signature of the tag and build SLF4J and Logback yourself afterwards.
I think the MD5 and SHA1 of Maven repository are merely a way to prevent corrupted files, not an actual security feature.

Cheers,
Joern.

On 07.05.2010, at 09:26, Elisha Ebenezer wrote:

> Hi Ceki,
> I'm trying to push to use Slf4j and logback in our project and my company wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify the integrity of downloaded files.
>  
> Though repo1.maven.org site provides the hashes, we are not sure whether the war and the hash are uploaded by genuine party or not.
>  
> As you are the owner of the project, I request you to kindly publish the hashes or certs on website's download page.. which can be cross-checked with the downloaded war and/or also with the maven repository.
>  
> Kindly do the needful and oblige.
>  
> Thanks,
> Elisha Ebenezer. _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://qos.ch/mailman/listinfo/slf4j-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://qos.ch/pipermail/slf4j-user/attachments/20100507/493b20c5/attachment.html>


More information about the slf4j-user mailing list