Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
3.6.3
-
None
Description
The default checksum policy when obtaining artifacts during a build is currently, by default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the use of corrupted data.
Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be defined for all repositories at once. It has to be done either on a per-repository basis or by using the "strict-checksum" flag in the command line.
After searching around a bit on the Web and with the help of a coworker, we discovered that the default "warn" setting was mainly there because some repositories were not handling checksums quite well. Issue MNG-339 contains some information about this.
My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn" setting is really there for historical reasons.
I believe that a default value of "fail" would greatly reduce the likelihood of errors and also slightly increase the security of Maven. Corrupted artifacts should not, by default, be used for builds.
Attachments
Issue Links
- is duplicated by
-
MNG-6422 Maven by default does not check checksums; Maven lacks reproducible builds capability
-
- Closed
-
- relates to
-
-
- Reopened
-
-
MRESOLVER-151 Enforce a checksum policy to be provided explicitly
-
- Closed
-
- links to