maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MRESOLVER-56) Support SHA256 and SHA512 as checksums
Date Sat, 15 Sep 2018 12:39:00 GMT

    [ https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16616272#comment-16616272
] 

Konrad Windszus commented on MRESOLVER-56:
------------------------------------------

I can test a branch. Where is it located?

> Support SHA256 and SHA512 as checksums
> --------------------------------------
>
>                 Key: MRESOLVER-56
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-56
>             Project: Maven Resolver
>          Issue Type: Improvement
>          Components: resolver
>    Affects Versions: Maven Artifact Resolver 1.1.1
>            Reporter: Konrad Windszus
>            Priority: Major
>
> As both supported checksums on remote repositories (namely MD5 and SHA1) have known flaws
it would be nice if the Maven Resolver could also leverage other hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
couldn't find any newer/other spec) I don't see how an additional {{.sha256}} or {{.sha512}}
file could introduce backwards compatibility issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if they exist
and leverage if they are supported by the JRE. The longer the hash the better it is, therefore
the hashes should be checked in the following order
> # SHA512
> # SHA256
> # SHA1
> # MD5
> This would need to be considered in the API within https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
and https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message