You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Tamás Cservenák (Jira)" <ji...@apache.org> on 2022/02/22 09:36:00 UTC

[jira] [Created] (MRESOLVER-242) When no remote checksums provided by layout, transfer inevitably fails/warns

Tamás Cservenák created MRESOLVER-242:
-----------------------------------------

             Summary: When no remote checksums provided by layout, transfer inevitably fails/warns
                 Key: MRESOLVER-242
                 URL: https://issues.apache.org/jira/browse/MRESOLVER-242
             Project: Maven Resolver
          Issue Type: Bug
            Reporter: Tamás Cservenák


On remote transfer, if layout does not provide remote checksums (as Javadoc states: it MAY return empty collection), remote transfer either WARNs or fails (if repository policy is WARN of FAIL respectively) always. This is wrong IMHO.
OTOH, layout intentionally does not return remote checksums in some cases, like GPG signature is, if the default Maven2RepositoryLayoutEx is used.

Hence, this causes that (sub)artifacts like checksums and signatures are NOT resolvable using resolver, due that above (they are deemed to always fail).

Hence, a proposed solution is:
* change of semantics: when layout does not provide remote checksums, skip checksum validation of remote checksums (as there is no such thing as "checksum of a checksum" or in many cases "checksum of a signature").
* make resolver layout "aware" of signatures, just like it is aware of checksums and make them extensible/configurable

Optionally:
* implement signing/signature verification services



--
This message was sent by Atlassian Jira
(v8.20.1#820001)