[
https://issues.apache.org/jira/browse/MNG-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16503493#comment-16503493
]
Karl Heinz Marbaise commented on MNG-6422:
------------------------------------------
First there have to be warnings in your build about non matching checksums or
failures to download them...which is the first hint...Apart from that I would
recommend to change your checksum policy to fail in cases of wrong checksums
etc...via {{settings.xml}} file See here:
https://maven.apache.org/settings.html#repositories
> Maven by default does not check checksums; Maven lacks reproducible builds
> capability
> -------------------------------------------------------------------------------------
>
> Key: MNG-6422
> URL: https://issues.apache.org/jira/browse/MNG-6422
> Project: Maven
> Issue Type: Bug
> Affects Versions: 3.5.0
> Reporter: Martin Vysny
> Priority: Major
>
> Maven by default does not check checksums of downloaded jar files. That leads
> to ridiculous situations like for example when a misconfigured Artifactory
> instance provides HTML directory listing instead of an actual jar file
> (because of incorrect path or access denied or other reason). Maven should
> reject such jar file (since it can't match the check sum), but instead it
> happily stores it into the local repository and then later fails that it's
> not a valid zip file.
> This issue exposes something even worse - you actually can't have
> reproducible builds with Maven since the reproducibility of the build depends
> on whatever you have in your local .m2 repository. So for example the build
> fails for me (since my local .m2 is populated by borked jar files which are
> really html files), but it succeeds for my colleagues (simply because they
> populated their local .m2 repo at different time and they have proper actual
> jar files).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
