You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Brett Porter <br...@apache.org> on 2010/05/03 08:12:34 UTC
Re: State of checksums?
On 01/05/2010, at 3:19 AM, Benjamin Bentmann wrote:
> Hi,
>
> considering the recent fixes to checksums for stuff in central, I was wondering what's the overall state of (existing) checksums on central these days?
Probably still not great.
We aren't using these for an integrity-of-the-repository purpose, so perhaps it's a good time to automatically fix them on central (keeping a record of what was changed, and what it used to be just in case), then turn on the fail option by default. You can be sure if it fails by default that content will be more carefully managed :)
>
> Assuming checksums are correct where present, this should put us in a good position to introduce a new checksum policy "fail-if-present" or just "strict" some day. The difference to the existing "fail" policy would be to only fail the build if at least one checksum file to verify is actually present. Making this policy the default for central would reduce the grief caused by Maven happily downloading HTTP status pages and trying to build class paths from HTML files...
>
>
> Benjamin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: State of checksums?
Posted by Brian Fox <br...@infinity.nu>.
> Seems to me that the first step is to prevent any new files being
> added to central unless they have valid hashes and signatures to stop
> the problem getting worse - or has that already been done?
This is being done. The signatures are checked, but the hashes
currently aren't. That's a trivial rule addition that we'll likely
have in place this week. The old rsyncs that allowed wide open crap is
being phased out and people are increasingly going through one of the
forges that provide the validation.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: State of checksums?
Posted by sebb <se...@gmail.com>.
On 03/05/2010, Brett Porter <br...@apache.org> wrote:
>
> On 01/05/2010, at 3:19 AM, Benjamin Bentmann wrote:
>
> > Hi,
> >
> > considering the recent fixes to checksums for stuff in central, I was wondering what's the overall state of (existing) checksums on central these days?
>
>
> Probably still not great.
>
> We aren't using these for an integrity-of-the-repository purpose, so perhaps it's a good time to automatically fix them on central (keeping a record of what was changed, and what it used to be just in case), then turn on the fail option by default. You can be sure if it fails by default that content will be more carefully managed :)
>
Seems to me that ideally the problems should be fixed at source, i.e.
on the forge (if that's the correct Maven term) that provided the
original data.
Unless there is some independent way of checking that the files being
hashed are the correct files, creating new hashes seems like a bad
idea, as it would allow a corrupt version to be introduced.
Creating new hashes is very different from fixing the format of hash files.
Seems to me that the first step is to prevent any new files being
added to central unless they have valid hashes and signatures to stop
the problem getting worse - or has that already been done?
> >
> > Assuming checksums are correct where present, this should put us in a good position to introduce a new checksum policy "fail-if-present" or just "strict" some day. The difference to the existing "fail" policy would be to only fail the build if at least one checksum file to verify is actually present. Making this policy the default for central would reduce the grief caused by Maven happily downloading HTTP status pages and trying to build class paths from HTML files...
> >
> >
> > Benjamin
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
>
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org