maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MNG-5728) Switch the default checksum policy from "warn" to "fail"
Date Fri, 01 Jan 2016 20:16:39 GMT

     [ https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Osipov updated MNG-5728:
--------------------------------
    Fix Version/s: Issues to be reviewed for 4.x

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
>                 Key: MNG-5728
>                 URL: https://issues.apache.org/jira/browse/MNG-5728
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Priority: Minor
>             Fix For: Issues to be reviewed for 4.x
>
>
> The default checksum policy when obtaining artifacts during a build is currently, by
default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the
use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to
miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but,
unless I am mistaken, it cannot be defined for all repositories at once. It has to be done
either on a per-repository basis or by using the "strict-checksum" flag in the command line.
> After searching around a bit on the Web and with the help of a coworker, we discovered
that the default "warn" setting was mainly there because some repositories were not handling
checksums quite well. Issue MNG-339 contains some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn"
setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood of errors
and also slightly increase the security of Maven. Corrupted artifacts should not, by default,
be used for builds.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message