Uploaded image for project: 'Maven Resolver'
  1. Maven Resolver
  2. MRESOLVER-56

Support SHA-256 and SHA-512 as checksums

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Maven Artifact Resolver 1.1.1
    • 1.5.0, 1.6.0, 1.6.1
    • Resolver
    • None

    Description

      As both supported checksums on remote repositories (namely MD5 and SHA1) have known flaws it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
      Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final, couldn't find any newer/other spec) I don't see how an additional .sha256 or .sha512 file could introduce backwards compatibility issues with older clients.

      I think this namely would mean you would also return SHA512 and SHA256 if they exist and leverage if they are supported by the JRE. The longer the hash the better it is, therefore the hashes should be checked in the following order

      1. SHA512
      2. SHA256
      3. SHA1
      4. MD5

      This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165 and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.

      Attachments

        Issue Links

          blocks

          Improvement - An improvement or enhancement to an existing feature or task. MPOM-244 Deploy SHA-512 for source-release to Remote Repository

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. SLING-7534 Release policy - stop providing MD5 and start providing SHA-512 checksums

          • Major - Major loss of function.
          • Resolved
          causes

          Bug - A problem which impairs or prevents the functions of the product. MRESOLVER-138 MRESOLVER-56 introduces severe performance regression

          • Major - Major loss of function.
          • Closed
          fixes

          Bug - A problem which impairs or prevents the functions of the product. MRESOLVER-246 m-deploy-p will create hashes for hashes

          • Major - Major loss of function.
          • Closed
          is related to

          New Feature - A new feature of the product, which has yet to be developed. MSHARED-704 Option to create SHA256/SHA512

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MDEPLOY-271 Allow to optionally disable checksum creation

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MSHARED-922 Remove checksum creation from DefaultProjectDeployer

          • Major - Major loss of function.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. MRESOLVER-115 Make checksum algorithms configurable

          • Major - Major loss of function.
          • Closed
          supercedes

          New Feature - A new feature of the product, which has yet to be developed. MINSTALL-82 Add sha 256 support

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #52

          Web Link GitHub Pull Request #53

          Web Link NEXUS-21802

          Activity

            People

              michael-o Michael Osipov
              kwin Konrad Windszus
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: