[
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015428#comment-16015428
]
Michael Benz commented on MNG-5728:
-----------------------------------
In a larger Maven project with external repositories we had quite a few
occurrences with corrupt downloaded jars. After finding out the default policy
on checksums I also try to use the -C option.
> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
> Key: MNG-5728
> URL: https://issues.apache.org/jira/browse/MNG-5728
> Project: Maven
> Issue Type: Improvement
> Components: Artifacts and Repositories
> Reporter: Nicolas Juneau
> Priority: Minor
> Fix For: Issues to be reviewed for 4.x
>
>
> The default checksum policy when obtaining artifacts during a build is
> currently, by default, "warn". This seems a bit odd for me since a checksum
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is
> easy to miss a bad checksum warning. I am aware that there is a
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be
> defined for all repositories at once. It has to be done either on a
> per-repository basis or by using the "strict-checksum" flag in the command
> line.
> After searching around a bit on the Web and with the help of a coworker, we
> discovered that the default "warn" setting was mainly there because some
> repositories were not handling checksums quite well. Issue MNG-339 contains
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood
> of errors and also slightly increase the security of Maven. Corrupted
> artifacts should not, by default, be used for builds.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
