The default checksum policy when obtaining artifacts during a build is currently, by default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the use of corrupted data.
Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be defined for all repositories at once. It has to be done either on a per-repository basis or by using the "strict-checksum" flag in the command line.
After searching around a bit on the Web and with the help of a coworker, we discovered that the default "warn" setting was mainly there because some repositories were not handling checksums quite well. Issue
MNG-339 contains some information about this.
My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn" setting is really there for historical reasons.
I believe that a default value of "fail" would greatly reduce the likelihood of errors and also slightly increase the security of Maven. Corrupted artifacts should not, by default, be used for builds.