wow, I did not know that: I really love it IIUC, these checksum files (per remote repository!) not only cover dependencies (jars), but also: - their poms, with parents - plugins used during build (with their poms and parent...) I suppose it also cover extensions?
This honestly makes me think at a few edge cases: - what about plugins used only at deploy time? Are they automatically recorded when recording trusted checksum, or require to clearly ask for deploy phase? - what about plugins activated only in some profiles? - what about plugins added sometimes on CLI, that may be random? We need to learn real life with this, but IMHO this is definitively a great addition: I hope we'll manage to have it as part of standard Maven usage practices in the future, even if I'm not sure we'll be ready for Maven 4 final release Regards, Hervé Le mardi 17 septembre 2024, 12:29:17 CEST Tamás Cservenák a écrit : > Hej, > > Regarding the 2nd question: that feature is present in 3.9.2+ and is > called "Trusted Checksums". > It applies to all resolution operations, not only "already downloaded". > > See here: > https://maven.apache.org/resolver/expected-checksums.html > https://stackoverflow.com/questions/78746427/how-to-use-maven-resolver-trust > ed-checksums-to-ensure-artifact-integrity > > but "demo" is here: > https://github.com/cstamas/tc-demo > > HTH > T > > On Tue, Sep 17, 2024 at 12:22 PM Delany <delany.middle...@gmail.com> wrote: > > Maven 4 comes with --strict-checksums on by default. > > Do i understand correctly that this protection only applies for > > dependencies that have previously been downloaded? > > And that there's value in implementing something like > > https://github.com/chains-project/maven-lockfile or > > https://github.com/vandmo/dependency-lock-maven-plugin ? > > > > Thanks, > > Delany > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
