Skip site navigation (1) Skip section navigation (2)

Re: Upgrade to 9 questions

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: Upgrade to 9 questions
Date: 2010-10-02 01:12:22
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-jdbc
On 2/10/2010 1:39 AM, Kevin Grittner wrote:
> I suspect that if you pull
> official jars from the JDBC download page, nobody will find anything
> amiss if you keep Maven central current.

Frankly, that's more than a little bit worrying. Joe Black Hat could 
rather trivially insert an exciting little back door into a version they 
"helpfully" push to Central. PgJDBC doesn't have published md5sums or 
gpg signatures, so there's no convenient way to verify that the jar 
being submitted is actually approved by the project.

I've been concerned about Maven's apparent lack of cryptographic 
verification before (and in fact the apparent lack of concern across the 
entire Java community), but I'd foolishly assumed Central uploads 
required authorization to push to a given groupId's section.

Craig Ringer

Tech-related writing at

In response to

pgsql-jdbc by date

Next:From: Craig RingerDate: 2010-10-02 02:02:03
Subject: Re: [BUGS] Mapping Hibernate boolean to smallint(Postgresql)
Previous:From: Jeff HubbachDate: 2010-10-01 22:31:17
Subject: Re: [BUGS] Mapping Hibernate boolean to smallint(Postgresql)

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group