maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MRESOLVER-56) Support SHA256 and SHA512 as hashes
Date Mon, 03 Sep 2018 14:57:00 GMT

     [ https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Konrad Windszus updated MRESOLVER-56:
-------------------------------------
    Description: 
As both supported checksums on remote repositories (namely MD5 and SHA1) have known flaws
it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
couldn't find any newer/other spec) I don't see how an additional {{.sha256}} or {{.sha512}}
file could introduce backwards compatibility issues with older clients.

I think this namely would mean you would also return SHA512 and SHA256 if they exist and leverage
if they are supported by the JRE. The longer the hash the better it is, therefore the hashes
should be checked in the following order
# SHA512
# SHA256
# SHA1
# MD5

This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.

  was:
As both supported checksums on remote repositories (namely MD5 and SHA1 have known flaws)
it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
couldn't find any newer/other spec) I don't see how an additional .SHA256 file could introduce
backwards compatibility issues with older clients.

I think this namely would mean you would also return SHA512 and SHA256 if they exist and leverage
if they are supported by the JRE. The longer the hash the better it is, therefore the hashes
should be checked in the following order
# SHA512
# SHA256
# SHA1
# MD5

This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.


> Support SHA256 and SHA512 as hashes
> -----------------------------------
>
>                 Key: MRESOLVER-56
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-56
>             Project: Maven Resolver
>          Issue Type: Improvement
>          Components: resolver
>    Affects Versions: Maven Artifact Resolver 1.1.1
>            Reporter: Konrad Windszus
>            Priority: Major
>
> As both supported checksums on remote repositories (namely MD5 and SHA1) have known flaws
it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
couldn't find any newer/other spec) I don't see how an additional {{.sha256}} or {{.sha512}}
file could introduce backwards compatibility issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if they exist
and leverage if they are supported by the JRE. The longer the hash the better it is, therefore
the hashes should be checked in the following order
> # SHA512
> # SHA256
> # SHA1
> # MD5
> This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message