[
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15076319#comment-15076319
]
Jason van Zyl commented on MNG-5728:
------------------------------------
So I'll give you some food for thought. This doesn't make Maven more secure,
really, but it would help with artifacts not being downloaded entirely or
correctly. It was set to warn for historical reasons because many artifacts
didn't have checksum files deployed. This has been largely corrected by the
submission policy to Maven Central where there has to be checksum files. Where
the cut off point in the past is I'm not sure. I'm also not sure how well
organizations enforce this internally, especially where non-Maven systems are
used to deploy. While I agree it makes sense to be the default I'd like to
prevent the potential where in a minor version change we make a major
behavioral change that causes people a lot of grief.
So I'm all for changing this but why don't we throw this in the bucket for 4.x
where we make a other large changes: Java8, massive deprecation removal,
removal of Plexus, and anything where people should know and understand the
impact of changing. In this particular case I think there are more builds than
you might expect that would be affected by this change.
That's my take at any rate.
> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
> Key: MNG-5728
> URL: https://issues.apache.org/jira/browse/MNG-5728
> Project: Maven
> Issue Type: Improvement
> Components: Artifacts and Repositories
> Reporter: Nicolas Juneau
> Priority: Minor
>
> The default checksum policy when obtaining artifacts during a build is
> currently, by default, "warn". This seems a bit odd for me since a checksum
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is
> easy to miss a bad checksum warning. I am aware that there is a
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be
> defined for all repositories at once. It has to be done either on a
> per-repository basis or by using the "strict-checksum" flag in the command
> line.
> After searching around a bit on the Web and with the help of a coworker, we
> discovered that the default "warn" setting was mainly there because some
> repositories were not handling checksums quite well. Issue MNG-339 contains
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood
> of errors and also slightly increase the security of Maven. Corrupted
> artifacts should not, by default, be used for builds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
