You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2020/10/17 19:08:00 UTC

[jira] [Commented] (MNG-5689) Checksum policy for mirrors

    [ https://issues.apache.org/jira/browse/MNG-5689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17216019#comment-17216019 ] 

Michael Osipov commented on MNG-5689:
-------------------------------------

> If that is true, then this issue can be closed, since the "mirrors" section seems entirely unnecessary, if any repository can be overridden in the settings.xml file this way.

This is not correct. The mirror is still necessary to catch repositories from POMs which are not in {{settings.xml}}. By factoring out Central you will probably have those policies applied to the mirror.

The magic happens here: {{org.eclipse.aether.util.repository.DefaultMirrorSelector}}. The mirror inherits the policlies of the repo it mirrors. This makes sense.

The population happens in {{org.apache.maven.internal.aether.DefaultRepositorySystemSessionFactory.newRepositorySession(MavenExecutionRequest)}}. This will require a settings model update.

> Checksum policy for mirrors
> ---------------------------
>
>                 Key: MNG-5689
>                 URL: https://issues.apache.org/jira/browse/MNG-5689
>             Project: Maven
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 3.2.3
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
>
> It does not appear that there is any way to configure a checksum policy for mirrors in the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven central. I can configure a mirrorOf central, but I cannot set the checksum policy. This seems like a big oversight.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)