[
https://issues.apache.org/jira/browse/MNG-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov updated MNG-6422:
--------------------------------
Fix Version/s: waiting-for-feedback
> Maven by default does not check checksums; Maven lacks reproducible builds
> capability
> -------------------------------------------------------------------------------------
>
> Key: MNG-6422
> URL: https://issues.apache.org/jira/browse/MNG-6422
> Project: Maven
> Issue Type: Bug
> Affects Versions: 3.5.0
> Reporter: Martin Vysny
> Priority: Major
> Fix For: waiting-for-feedback
>
>
> Maven by default does not check checksums of downloaded jar files. That leads
> to ridiculous situations like for example when a misconfigured Artifactory
> instance provides HTML directory listing instead of an actual jar file
> (because of incorrect path or access denied or other reason). Maven should
> reject such jar file (since it can't match the check sum), but instead it
> happily stores it into the local repository and then later fails that it's
> not a valid zip file.
> This issue exposes something even worse - you actually can't have
> reproducible builds with Maven since the reproducibility of the build depends
> on whatever you have in your local .m2 repository. So for example the build
> fails for me (since my local .m2 is populated by borked jar files which are
> really html files), but it succeeds for my colleagues (simply because they
> populated their local .m2 repo at different time and they have proper actual
> jar files).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
