You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Robert Scholte (Jira)" <ji...@apache.org> on 2021/04/05 13:46:00 UTC

[jira] [Closed] (MWRAPPER-10) Checksums for maven-dists

     [ https://issues.apache.org/jira/browse/MWRAPPER-10?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Scholte closed MWRAPPER-10.
----------------------------------
      Assignee: Robert Scholte
    Resolution: Not A Problem

The maven-wrapper-plugin ONLY downloads the apache-maven-wrapper of a specific type (script/bin/source).
This plugin uses the artifactResolver, which means that it uses the same mechanism as Maven uses to download its plugins and dependencies, including verification of their checksums.
As Maven user you can already control the verification of checksums (-C/-c), and with MNG-5728 in Maven 4 it will fail by default on a mismatch of the checksum.


> Checksums for maven-dists
> -------------------------
>
>                 Key: MWRAPPER-10
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-10
>             Project: Maven Wrapper
>          Issue Type: Bug
>            Reporter: Yannick Menager
>            Assignee: Robert Scholte
>            Priority: Critical
>
> Automatically downloading and running software is highly dangerous from a security point of view.
> Wrapper should include the ability to include a checksum and verify the downloaded zip file



--
This message was sent by Atlassian Jira
(v8.3.4#803005)