[
https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17130641#comment-17130641
]
Konrad Windszus edited comment on MRESOLVER-56 at 6/10/20, 12:53 PM:
---------------------------------------------------------------------
bq. Why didn't you comment on it?
Because I just figured out now this will also upload those hashes to remote
repos!
I won't be able to work on that in the near future, but I would recommend to
not release it as is as it will make it impossible to use Maven 3.7 with Nexus
< 2.14.18 (and I don't know of compatibility with the other repo managers)
was (Author: kwin):
> Why didn't you comment on it?
Because I just figured out now this will also upload those hashes to remote
repos!
I won't be able to work on that in the near future, but I would recommend to
not release it as is as it will make it impossible to use Maven 3.7 with Nexus
< 2.14.18 (and I don't know of compatibility with the other repo managers)
> Support SHA-256 and SHA-512 as checksums
> ----------------------------------------
>
> Key: MRESOLVER-56
> URL: https://issues.apache.org/jira/browse/MRESOLVER-56
> Project: Maven Resolver
> Issue Type: Improvement
> Components: resolver
> Affects Versions: Maven Artifact Resolver 1.1.1
> Reporter: Konrad Windszus
> Assignee: Michael Osipov
> Priority: Major
> Fix For: 1.4.3
>
>
> As both supported checksums on remote repositories (namely MD5 and SHA1) have
> known flaws it would be nice if the Maven Resolver could also leverage other
> hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout
> (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
> couldn't find any newer/other spec) I don't see how an additional
> {{.sha256}} or {{.sha512}} file could introduce backwards compatibility
> issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if
> they exist and leverage if they are supported by the JRE. The longer the hash
> the better it is, therefore the hashes should be checked in the following
> order
> # SHA512
> # SHA256
> # SHA1
> # MD5
> This would need to be considered in the API within
> https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
> and
> https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
