Hiya, So currently checksum's are not generated by default... I've submitted a ticket which switched the install plugin to generate them by default.
Next step stop using md5 which most have considered dead for several years, and checking apache (https://www.apache.org/dev/release-signing.html) sha512 should be being used. So either; 1) add support so md5, sha1, sha256 and sha512 are all generated 2) plugin defines which is generated 3) plugin defines a list which are generated 4) settings.xml defines which is generated 5) settings.xml defines a list which are generated? Thoughts??? Next; Currently when downloading we have ignore, warn or error if checksum's don't match. I propose adding a checksum min level options? i.e. allow MD5 > SHA1, SHA256 > SHA512 So; 1) Default to MD5 2) Wait till all maven plugins deploy a sha512 to central 3) Switch default to SHA512 What are developers thoughts? What staged steps should this be merged as? I would like to start helping getting the core maven and all of it's dependencies more secure so people can start trusting maven is secure by default as I get the feeling isn't at the moment. Cheers, John --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
