You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Robert Scholte (JIRA)" <ji...@apache.org> on 2018/06/18 20:48:00 UTC
[jira] [Closed] (MNG-6422) Maven by default does not check
checksums; Maven lacks reproducible builds capability
[ https://issues.apache.org/jira/browse/MNG-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Scholte closed MNG-6422.
-------------------------------
Resolution: Duplicate
Assignee: Robert Scholte
Fix Version/s: (was: waiting-for-feedback)
Kind of duplicate of MNG-5728, which will very likely be fixed in the next major version.
> Maven by default does not check checksums; Maven lacks reproducible builds capability
> -------------------------------------------------------------------------------------
>
> Key: MNG-6422
> URL: https://issues.apache.org/jira/browse/MNG-6422
> Project: Maven
> Issue Type: Bug
> Affects Versions: 3.5.0
> Reporter: Martin Vysny
> Assignee: Robert Scholte
> Priority: Major
>
> Maven by default does not check checksums of downloaded jar files. That leads to ridiculous situations like for example when a misconfigured Artifactory instance provides HTML directory listing instead of an actual jar file (because of incorrect path or access denied or other reason). Maven should reject such jar file (since it can't match the check sum), but instead it happily stores it into the local repository and then later fails that it's not a valid zip file.
> This issue exposes something even worse - you actually can't have reproducible builds with Maven since the reproducibility of the build depends on whatever you have in your local .m2 repository. So for example the build fails for me (since my local .m2 is populated by borked jar files which are really html files), but it succeeds for my colleagues (simply because they populated their local .m2 repo at different time and they have proper actual jar files).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)