You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Rafael Winterhalter (Jira)" <ji...@apache.org> on 2022/08/01 15:26:00 UTC

[jira] [Commented] (MRESOLVER-234) Introduce "provided" checksums feature

    [ https://issues.apache.org/jira/browse/MRESOLVER-234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17573811#comment-17573811 ] 

Rafael Winterhalter commented on MRESOLVER-234:
-----------------------------------------------

I am trying to use this by adding checksums to a folder that ships with my repo. Unfortunately, it does not seem like:

a) this feature is documented? How would I tell Maven what directory to check? I extracted my knowledge from the repo code so far.
b) this feature is part of the latest Maven release which uses Maven resolver 1.6.3. The feature is only included in version 1.8.0.

This is why I am wondering: will Maven 3.x update to Maven resolver 1.8.0 at some time?

Also: I must unfortunately say that the current approach is not safe. The checksum must be validated also for files from the local repository, but it seems like this is currently only done for downloaded artifacts. Consider the following scenario:
 # User runs build on project A without checksums.
 # Corrupted artifact is downloaded to local Maven repository.
 # User runs build on project B with checksums.
 # Despite provided checksum, Maven does not discover corruption as file is now fetched from local repository.

If there is anything I can do to volunteer my work to get this feature into Maven 3.x, I would be very happy to help. I know enough projects that are slow to update, and it's commonly especially those who would benefit from an easy option for this. I consider this a crucial missing feature in Maven, but I understand that your time is limited, therefore, I'd be more than happy to help.

> Introduce "provided" checksums feature
> --------------------------------------
>
>                 Key: MRESOLVER-234
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-234
>             Project: Maven Resolver
>          Issue Type: Task
>          Components: Resolver
>            Reporter: Tamás Cservenák
>            Assignee: Tamás Cservenák
>            Priority: Major
>             Fix For: 1.8.0
>
>
> Ability to "provide" checksums to resolver, so instead to get them from remote ("external" or "in-lined"), the "provided" ones could be checked in along with sources.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)