Hi, I shared comments on PR 337 and discussed it with gnodet, but I think posting here may better catch the attention of core committers.
First of all, I think the JDK auto-download feature is a valuable enhancement, but I do have a few concerns I'd like to highlight: * Scope Creep & Naming Maven Wrapper is intended to wrap Maven—not a JDK. Adding JDK management expands its scope significantly. It might be more appropriate as a standalone "JDK Wrapper" or part of a broader environment-management tool. * User Experience (UX) Even though JDK configuration is technically opt-in, in practice a user cloning a repository and running ./mvnw may unknowingly trigger a JDK download. This behavior may surprise developers and potentially even break their environments. Prompting or clearly notifying users before downloading could help. And while the feature is opt-in, this is a substantial behavioral and major change. I recommend releasing it under a new major version to avoid surprises for users upgrading Maven Wrapper. * Security & License Transparency Using jdkDistributionUrl with jdkSha256Sum confirms file integrity, but it doesn’t guarantee the security or trustworthiness of the downloaded JDK. A user could unknowingly fetch a malicious JDK. Additionally, users might inadvertently download a JDK under a license that may be incompatible with their project’s license or internal policies—leading to unintentional licensing obligations. Best regards, Jimisola
