maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (MNG-5689) Checksum policy for mirrors
Date Wed, 28 Mar 2018 19:42:00 GMT


Christopher Tubbs commented on MNG-5689:

MNG-4645 implies that the configuration for central can be overridden by creating a new repository
configuration with the same id "central", but with different configuration, instead of using
a mirror. If that is true, then this issue can be closed, since the "mirrors" section seems
entirely unnecessary, if any repository can be overridden in the settings.xml file this way.

Either MNG-5728 or MNG-5506 would also satisfy my use case.

> Checksum policy for mirrors
> ---------------------------
>                 Key: MNG-5689
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 3.2.3
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
> It does not appear that there is any way to configure a checksum policy for mirrors in
the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven central. I can
configure a mirrorOf central, but I cannot set the checksum policy. This seems like a big

This message was sent by Atlassian JIRA

View raw message