<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">One solution could be the use of signed tags for SLF4J and Logback.<div><br><div>That way it would be possible to pull the git repository, check the signature of the tag and build SLF4J and Logback yourself afterwards.</div><div>I think the MD5 and SHA1 of Maven repository are merely a way to prevent corrupted files, not an actual security feature.</div><div><br></div><div>Cheers,</div><div>Joern.</div><div><br><div><div>On 07.05.2010, at 09:26, Elisha Ebenezer wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hi Ceki,<br>I'm trying to push to use Slf4j and logback in our project and my company wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify the integrity of downloaded files.<br> <br>Though <a href="http://repo1.maven.org/">repo1.maven.org</a> site provides the hashes, we are not sure whether the war and the hash are uploaded by genuine party or not.<br>
<br>As you are the owner of the project, I request you to kindly publish the hashes or certs on website's download page.. which can be cross-checked with the downloaded war and/or also with the maven repository.<br> <br>
Kindly do the needful and oblige.<br> <br>Thanks,<br>Elisha Ebenezer.
_______________________________________________<br>slf4j-user mailing list<br><a href="mailto:slf4j-user@qos.ch">slf4j-user@qos.ch</a><br>http://qos.ch/mailman/listinfo/slf4j-user</blockquote></div><br></div></div></body></html>