You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Hudson (Jira)" <ji...@apache.org> on 2020/06/05 08:38:00 UTC

[jira] [Commented] (MRESOLVER-56) Support SHA-256 and SHA-512 as checksums

    [ https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17126543#comment-17126543 ] 

Hudson commented on MRESOLVER-56:
---------------------------------

Build succeeded in Jenkins: Maven TLP » maven-resolver » master #70

See https://builds.apache.org/job/maven-box/job/maven-resolver/job/master/70/

> Support SHA-256 and SHA-512 as checksums
> ----------------------------------------
>
>                 Key: MRESOLVER-56
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-56
>             Project: Maven Resolver
>          Issue Type: Improvement
>          Components: resolver
>    Affects Versions: Maven Artifact Resolver 1.1.1
>            Reporter: Konrad Windszus
>            Assignee: Michael Osipov
>            Priority: Major
>             Fix For: 1.4.3
>
>
> As both supported checksums on remote repositories (namely MD5 and SHA1) have known flaws it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final, couldn't find any newer/other spec) I don't see how an additional {{.sha256}} or {{.sha512}} file could introduce backwards compatibility issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if they exist and leverage if they are supported by the JRE. The longer the hash the better it is, therefore the hashes should be checked in the following order
> # SHA512
> # SHA256
> # SHA1
> # MD5
> This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165 and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)