Skip site navigation (1) Skip section navigation (2)

Re: Upgrade to 9 questions

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: Upgrade to 9 questions
Date: 2010-10-02 01:12:22
Message-ID: 4CA686F6.2040900@postnewspapers.com.au (view raw or flat)
Thread:
Lists: pgsql-jdbc
On 2/10/2010 1:39 AM, Kevin Grittner wrote:
> I suspect that if you pull
> official jars from the JDBC download page, nobody will find anything
> amiss if you keep Maven central current.

Frankly, that's more than a little bit worrying. Joe Black Hat could 
rather trivially insert an exciting little back door into a version they 
"helpfully" push to Central. PgJDBC doesn't have published md5sums or 
gpg signatures, so there's no convenient way to verify that the jar 
being submitted is actually approved by the project.

I've been concerned about Maven's apparent lack of cryptographic 
verification before (and in fact the apparent lack of concern across the 
entire Java community), but I'd foolishly assumed Central uploads 
required authorization to push to a given groupId's section.

-- 
Craig Ringer

Tech-related writing at http://soapyfrogs.blogspot.com/

In response to

pgsql-jdbc by date

Next:From: Craig RingerDate: 2010-10-02 02:02:03
Subject: Re: [BUGS] Mapping Hibernate boolean to smallint(Postgresql)
Previous:From: Jeff HubbachDate: 2010-10-01 22:31:17
Subject: Re: [BUGS] Mapping Hibernate boolean to smallint(Postgresql)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group