...
A number of key security issues have been identified in the way Maven
resolves and retrieves dependencies. These issues have been identified in
documents written by Nat Pryce and John Casey:
http://docs.codehaus.org/display/MAVEN/Repository+-+Securityhttp://docs.codehaus.org/display/MAVEN/Repository+-+Security+by+nat+pryce
Casey proposes to tighten up the repository upload procedure, which is a
good first step. However, signing all artifacts (and in particular, the
ongoing workload of needing to distribute derivative certificates)
may prove to be too onerous a procedure.
...
References:
-----------
1 Using FreeBSD Ports:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-using.html
2 NetBSD Pkgsrc:
http://www.netbsd.org/Documentation/pkgsrc/
3 NetBSD Pkgsrc info about 'distinfo' where checksum/size info is stored:
http://www.netbsd.org/Documentation/pkgsrc/components.html#components.distinfo
John Casey
This is a simple Copy/Paste from an email I sent out to the maven2 users.
...