You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2019/12/15 17:57:00 UTC

[jira] [Commented] (MINSTALL-133) Take Security More Seriously - Checksum by default

    [ https://issues.apache.org/jira/browse/MINSTALL-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16996812#comment-16996812 ] 

Elliotte Rusty Harold commented on MINSTALL-133:
------------------------------------------------

I think the install plugin only copies the built jar into the local repository. It's not used for remote deployment, and I can't think of anything that would fail if the checksum were off in this case. I propose closing this issue as won't fix unless a clearer problem can be stated. 

Remote deployment is a very different story, but that's not this plugin. 

> Take Security More Seriously - Checksum by default
> --------------------------------------------------
>
>                 Key: MINSTALL-133
>                 URL: https://issues.apache.org/jira/browse/MINSTALL-133
>             Project: Maven Install Plugin
>          Issue Type: Bug
>          Components: install:install, install:install-file
>    Affects Versions: 2.5.2
>            Reporter: John Patrick
>            Priority: Major
>
> I believe that a default of createChecksum being false is bad practice and a checksum should always being produced.
> Maven doesn't appear to have a guide so I'm looking towards the main apache guide i.e. https://www.apache.org/dev/release-signing.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)