You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Tamás Cservenák (Jira)" <ji...@apache.org> on 2022/06/24 08:38:00 UTC

[jira] [Updated] (MRESOLVER-265) Discrepancy between produced and recognized checksums

     [ https://issues.apache.org/jira/browse/MRESOLVER-265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tamás Cservenák updated MRESOLVER-265:
--------------------------------------
    Description: 
In short: repository layout has members:
* {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#checksumAlgorithms}}
* {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#extensionsWithoutChecksums}}

First one is checksums (as configured by user of default) that will be consumed (on fetch) or produced (publish), while second marks artifact extensions that need no checksums (on fetch -- fetched, or publish -- generated).

Now, if we consider "default" configured resolver (checksumAlrgorithms=SHA1, MD5; extensionsWithoutChecksums=.asc) there is a discrepancy IF ANY OTHER supported but not configured checksum comes in play:

If a Mojo attaches an artifact having extension ".zip.sha512", resolver will checksum it (w/ {{checksumAlgorithms}} checksums) DESPITE it should know this is a checksum, and "checksum of a checksum" is a nonsense, just makes noise.

Reason: method {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#isChecksum}} works with preconfigured checksums only (in our example SHA1 and MS5) and will respond "no" for SHA512.

Proposal to fix:
The method check should NOT be based on {{checksumAlgorithms}} but on "all checksums supported by Resolver".

  was:
In short: repository layout has members:
* {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#checksumAlgorithms}}
* {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#extensionsWithoutChecksums}}

First one is checksums (as configured by user of default) that will be consumed (on fetch) or produced (publish), while second marks artifact extensions that need no checksums (on fetch -- fetched, or publish -- generated).

Now, if we consider "default" configured resolver (checksumAlrgorithms=SHA1, MD5; extensionsWithoutChecksums=.asc) there is a discrepancy IF ANY OTHER supported but not configured checksum comes in play:

If a Mojo attaches an artifact having extension ".zip.sha512", resolver will checksum it (w/ {{checksumAlgorithms}} checksums) DESPITE it should know this is a checksum, and "checksum of a checksum" is a nonsense, just makes no sense.

Reason: method {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#isChecksum}} works with preconfigured checksums only (in our example SHA1 and MS5) and will respond "no" for SHA512.

Proposal to fix:
The method check should NOT be based on {{checksumAlgorithms}} but on "all checksums supported by Resolver".


> Discrepancy between produced and recognized checksums
> -----------------------------------------------------
>
>                 Key: MRESOLVER-265
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-265
>             Project: Maven Resolver
>          Issue Type: Dependency upgrade
>    Affects Versions: 1.8.0
>            Reporter: Tamás Cservenák
>            Priority: Major
>
> In short: repository layout has members:
> * {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#checksumAlgorithms}}
> * {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#extensionsWithoutChecksums}}
> First one is checksums (as configured by user of default) that will be consumed (on fetch) or produced (publish), while second marks artifact extensions that need no checksums (on fetch -- fetched, or publish -- generated).
> Now, if we consider "default" configured resolver (checksumAlrgorithms=SHA1, MD5; extensionsWithoutChecksums=.asc) there is a discrepancy IF ANY OTHER supported but not configured checksum comes in play:
> If a Mojo attaches an artifact having extension ".zip.sha512", resolver will checksum it (w/ {{checksumAlgorithms}} checksums) DESPITE it should know this is a checksum, and "checksum of a checksum" is a nonsense, just makes noise.
> Reason: method {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#isChecksum}} works with preconfigured checksums only (in our example SHA1 and MS5) and will respond "no" for SHA512.
> Proposal to fix:
> The method check should NOT be based on {{checksumAlgorithms}} but on "all checksums supported by Resolver".



--
This message was sent by Atlassian Jira
(v8.20.7#820007)