maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (MNG-5689) Checksum policy for mirrors
Date Sat, 24 Mar 2018 19:16:00 GMT


Christopher Tubbs commented on MNG-5689:

I had a mirror with broken artifacts in it... which is what motivated me to create this. Maven
was perfectly happy downloading the broken artifacts, warning about them (the default behavior),
and then putting the broken artifacts on the class path when I built my application. It was
a pain to figure out why my builds were failing. A strict "fail" checksum policy would have
made it obvious.

> Checksum policy for mirrors
> ---------------------------
>                 Key: MNG-5689
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 3.2.3
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
> It does not appear that there is any way to configure a checksum policy for mirrors in
the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven central. I can
configure a mirrorOf central, but I cannot set the checksum policy. This seems like a big

This message was sent by Atlassian JIRA

View raw message