[ https://issues.apache.org/jira/browse/MNG-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Osipov updated MNG-6422: -------------------------------- Fix Version/s: waiting-for-feedback > Maven by default does not check checksums; Maven lacks reproducible builds > capability > ------------------------------------------------------------------------------------- > > Key: MNG-6422 > URL: https://issues.apache.org/jira/browse/MNG-6422 > Project: Maven > Issue Type: Bug > Affects Versions: 3.5.0 > Reporter: Martin Vysny > Priority: Major > Fix For: waiting-for-feedback > > > Maven by default does not check checksums of downloaded jar files. That leads > to ridiculous situations like for example when a misconfigured Artifactory > instance provides HTML directory listing instead of an actual jar file > (because of incorrect path or access denied or other reason). Maven should > reject such jar file (since it can't match the check sum), but instead it > happily stores it into the local repository and then later fails that it's > not a valid zip file. > This issue exposes something even worse - you actually can't have > reproducible builds with Maven since the reproducibility of the build depends > on whatever you have in your local .m2 repository. So for example the build > fails for me (since my local .m2 is populated by borked jar files which are > really html files), but it succeeds for my colleagues (simply because they > populated their local .m2 repo at different time and they have proper actual > jar files). -- This message was sent by Atlassian JIRA (v7.6.3#76005)