maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MNG-5728) Switch the default checksum policy from "warn" to "fail"
Date Tue, 26 Sep 2017 20:17:00 GMT

    [ https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181497#comment-16181497
] 

Christopher Tubbs commented on MNG-5728:
----------------------------------------

Would love to see this. Saw a colleague just waste several hours on fixing what he thought
to be a classloader issue in a maven plugin, when it was really just a corrupted jar file
(presumably because of a bad internet connection).

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
>                 Key: MNG-5728
>                 URL: https://issues.apache.org/jira/browse/MNG-5728
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Priority: Minor
>             Fix For: Issues to be reviewed for 4.x
>
>
> The default checksum policy when obtaining artifacts during a build is currently, by
default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the
use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to
miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but,
unless I am mistaken, it cannot be defined for all repositories at once. It has to be done
either on a per-repository basis or by using the "strict-checksum" flag in the command line.
> After searching around a bit on the Web and with the help of a coworker, we discovered
that the default "warn" setting was mainly there because some repositories were not handling
checksums quite well. Issue MNG-339 contains some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn"
setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood of errors
and also slightly increase the security of Maven. Corrupted artifacts should not, by default,
be used for builds.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message