Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-5728

Switch the default checksum policy from "warn" to "fail"




      The default checksum policy when obtaining artifacts during a build is currently, by default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the use of corrupted data.

      Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be defined for all repositories at once. It has to be done either on a per-repository basis or by using the "strict-checksum" flag in the command line.

      After searching around a bit on the Web and with the help of a coworker, we discovered that the default "warn" setting was mainly there because some repositories were not handling checksums quite well. Issue MNG-339 contains some information about this.

      My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn" setting is really there for historical reasons.

      I believe that a default value of "fail" would greatly reduce the likelihood of errors and also slightly increase the security of Maven. Corrupted artifacts should not, by default, be used for builds.


          Issue Links



              • Assignee:
                sfl-njuneau Nicolas Juneau
              • Votes:
                5 Vote for this issue
                9 Start watching this issue


                • Created: