You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Rafael Winterhalter (Jira)" <ji...@apache.org> on 2022/08/03 13:55:00 UTC
[jira] [Updated] (MRESOLVER-268) Apply artifact checksum verification for any resolved artifact
[ https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rafael Winterhalter updated MRESOLVER-268:
------------------------------------------
Description:
Maven resolver currently only verifies provided checksums (via ProvidedChecksumsSource) when artifacts are downloaded from a remote repository. While this strategy is efficient when working with a clean local repository, it can create problems if two Maven projects share a local repository, where only one project validates hashes. If the first project has downloaded a corrupted artifact, the second project would now use this corrupted artifact despite knowing a non-matching checksum.
With the proposed change, artifacts are validated whenever they are resolved. This allows to retain the integrity of a project also when sharing a local Maven repository with other, unsecured projects.
The current PR only activates this general validation if a global validation policy is defined.
was:
Maven resolver currently only verifies provided checksums (via ProvidedChecksumsSource) when artifacts are downloaded from a remote repository. While this strategy is efficient when working with a clean local repository, it can create problems if two Maven projects share a local repository, where only one project validates hashes. If the first project has downloaded a corrupted artifact, the second project would now use this corrupted artifact despite knowing a non-matching checksum.
With the proposed change, artifacts are validated whenever they are resolved. This allows to retain the integrity of a project also when sharing a local Maven repository with other, unsecured projects.
> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
> Key: MRESOLVER-268
> URL: https://issues.apache.org/jira/browse/MRESOLVER-268
> Project: Maven Resolver
> Issue Type: Improvement
> Reporter: Rafael Winterhalter
> Priority: Major
>
> Maven resolver currently only verifies provided checksums (via ProvidedChecksumsSource) when artifacts are downloaded from a remote repository. While this strategy is efficient when working with a clean local repository, it can create problems if two Maven projects share a local repository, where only one project validates hashes. If the first project has downloaded a corrupted artifact, the second project would now use this corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved. This allows to retain the integrity of a project also when sharing a local Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation policy is defined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)