Uploaded image for project: 'Maven Resolver'
  1. Maven Resolver
  2. MRESOLVER-56

Support SHA256 and SHA512 as checksums

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Maven Artifact Resolver 1.1.1
    • Fix Version/s: None
    • Component/s: resolver
    • Labels:
      None

      Description

      As both supported checksums on remote repositories (namely MD5 and SHA1) have known flaws it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
      Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final, couldn't find any newer/other spec) I don't see how an additional .sha256 or .sha512 file could introduce backwards compatibility issues with older clients.

      I think this namely would mean you would also return SHA512 and SHA256 if they exist and leverage if they are supported by the JRE. The longer the hash the better it is, therefore the hashes should be checked in the following order

      1. SHA512
      2. SHA256
      3. SHA1
      4. MD5

      This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165 and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                kwin Konrad Windszus
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: