Folks,
I have been recently (indirectly) approached by Mark Thomas for the
Tomcat committers that he wants to provide SHA-2 hashes for all uploaded
Tomcat artifacts in Central. Since Nexus 2.14.18 supports this properly
for validation, I have picked up MRESOLVER-56 and asked for testing.
I'd like also to discuss two proposals for the Maven community:
1. Introduce SHA-2 support in Maven Resolver 1.4.3 which will go into
Maven 3.7.0
2. Deprecate MD5 and SHA-1 with that release and make them obsolete with
Maven 4.0 and Maven Resolver 2.0 which will include package change also.
Those proposals have the following greater implications:
1.
* Certain repo managers might reject hashes, they don't know. As did
Nexus on repository.a.o.
* This will incur two more requests with each upload and download. In
the latter, it will fail with 404 because most repo managers won't have
SHA-2 hashes. So fails Central for now. (will be solved with 2.)
2.
* All repo managers will need to
** rehash all current content to provide SHA-2 hashes
** Require SHA-2 hashes to be uploaded
** Reject MD5 and SHA-1 hashes
* Old tools will fail because MD5 and SHA-1 hashes are gone:
** Uploads will be rejected
** Strict download validation will fail
Please comment. I will also provide a draft PR soon.
I can cast two formal votes if required.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
