[
https://issues.apache.org/jira/browse/MNG-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Scholte closed MNG-6422.
-------------------------------
Resolution: Duplicate
Assignee: Robert Scholte
Fix Version/s: (was: waiting-for-feedback)
Kind of duplicate of MNG-5728, which will very likely be fixed in the next
major version.
> Maven by default does not check checksums; Maven lacks reproducible builds
> capability
> -------------------------------------------------------------------------------------
>
> Key: MNG-6422
> URL: https://issues.apache.org/jira/browse/MNG-6422
> Project: Maven
> Issue Type: Bug
> Affects Versions: 3.5.0
> Reporter: Martin Vysny
> Assignee: Robert Scholte
> Priority: Major
>
> Maven by default does not check checksums of downloaded jar files. That leads
> to ridiculous situations like for example when a misconfigured Artifactory
> instance provides HTML directory listing instead of an actual jar file
> (because of incorrect path or access denied or other reason). Maven should
> reject such jar file (since it can't match the check sum), but instead it
> happily stores it into the local repository and then later fails that it's
> not a valid zip file.
> This issue exposes something even worse - you actually can't have
> reproducible builds with Maven since the reproducibility of the build depends
> on whatever you have in your local .m2 repository. So for example the build
> fails for me (since my local .m2 is populated by borked jar files which are
> really html files), but it succeeds for my colleagues (simply because they
> populated their local .m2 repo at different time and they have proper actual
> jar files).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
