[
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15081231#comment-15081231
]
Nicolas Juneau commented on MNG-5728:
-------------------------------------
Hello Jason,
I concur about the issue potentially affecting many users. Inconsistent builds
is what pushed me into creating the issue, after all. If the "-c" flag stays,
the issue can still be mitigated for the ones who depend on the "warn"
behaviour. Since checksum verification is already part of Maven, security might
not be increased per-se, but I hope it will increase awareness about the
integrity of the artifacts used in builds.
If you need me to improve my pull request or just rebase my branch, just ping
me here or on the Github pull request. Do not hesitate to point me at anything
that could be improved as this would be the first lines of code I submit to
Maven.
Thanks,
Nicolas
> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
> Key: MNG-5728
> URL: https://issues.apache.org/jira/browse/MNG-5728
> Project: Maven
> Issue Type: Improvement
> Components: Artifacts and Repositories
> Reporter: Nicolas Juneau
> Priority: Minor
> Fix For: Issues to be reviewed for 4.x
>
>
> The default checksum policy when obtaining artifacts during a build is
> currently, by default, "warn". This seems a bit odd for me since a checksum
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is
> easy to miss a bad checksum warning. I am aware that there is a
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be
> defined for all repositories at once. It has to be done either on a
> per-repository basis or by using the "strict-checksum" flag in the command
> line.
> After searching around a bit on the Web and with the help of a coworker, we
> discovered that the default "warn" setting was mainly there because some
> repositories were not handling checksums quite well. Issue MNG-339 contains
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood
> of errors and also slightly increase the security of Maven. Corrupted
> artifacts should not, by default, be used for builds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
