You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Guillaume Nodet (Jira)" <ji...@apache.org> on 2022/10/20 08:11:03 UTC

[jira] [Updated] (MNG-5728) Switch the default checksum policy from "warn" to "fail"

     [ https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guillaume Nodet updated MNG-5728:
---------------------------------
    Fix Version/s: 4.0.0-alpha-2

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
>                 Key: MNG-5728
>                 URL: https://issues.apache.org/jira/browse/MNG-5728
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>    Affects Versions: 3.6.3
>            Reporter: Nicolas Juneau
>            Assignee: Robert Scholte
>            Priority: Minor
>             Fix For: 4.0.0-alpha-1, 4.0.0-alpha-2, 4.0.0
>
>
> The default checksum policy when obtaining artifacts during a build is currently, by default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be defined for all repositories at once. It has to be done either on a per-repository basis or by using the "strict-checksum" flag in the command line.
> After searching around a bit on the Web and with the help of a coworker, we discovered that the default "warn" setting was mainly there because some repositories were not handling checksums quite well. Issue MNG-339 contains some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood of errors and also slightly increase the security of Maven. Corrupted artifacts should not, by default, be used for builds.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)