[Yanel-dev] Maven trouble and missing signatures

[Michael Wechner]

Hi

I have recently tried to install yanel from scratch on a fresh unix 
account, where no Maven libs are located.

It didn't work, because it seems one of the public maven servers did 
deliver broken libs (e.g. log4j or servlet lib)

Through this I have realized that the libs hosted by Wyona also are 
missing signatures, which is quite some security problem in case 
somebody would be able to login and the replace the libs with something 
else.

I think we should do two things

1) Create signatures for our hosted libs and make the signatures 
available on some different server so that they cannot be replaced as 
the libs might be exchanged

2) Configure the build process such that if a signature check fails, 
then also the build process fails

WDYT?

Cheers

Michi

-- 
Michael Wechner
Wyona      -   Open Source Content Management - Yanel, Yulup
http://www.wyona.com
michael.wechner at wyona.com, michi at apache.org
+41 44 272 91 61