[jira] [Closed] (MNG-5728) Switch the default checksum policy from "warn" to "fail"

Wed, 02 Dec 2020 11:55:11 -0800 


     [ 
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Osipov closed MNG-5728.
-------------------------------
    Fix Version/s:     (was: 4.0.x-candidate)
                   4.0.0-alpha-1
                   4.0.0
       Resolution: Fixed

Fixed with 
[95ee8908370744153531aa2e80a9bce93dc5d9bc|https://gitbox.apache.org/repos/asf?p=maven.git&a=commit&h=95ee8908370744153531aa2e80a9bce93dc5d9bc]
 and ITs with 
[10fd1f967dd95bf7b8451cec0a20fd88f55582c8|https://gitbox.apache.org/repos/asf?p=maven-integration-testing.git&a=commit&h=10fd1f967dd95bf7b8451cec0a20fd88f55582c8].

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
>                 Key: MNG-5728
>                 URL: https://issues.apache.org/jira/browse/MNG-5728
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Assignee: Robert Scholte
>            Priority: Minor
>             Fix For: 4.0.0, 4.0.0-alpha-1
>
>
> The default checksum policy when obtaining artifacts during a build is 
> currently, by default, "warn". This seems a bit odd for me since a checksum 
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is 
> easy to miss a bad checksum warning. I am aware that there is a 
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be 
> defined for all repositories at once. It has to be done either on a 
> per-repository basis or by using the "strict-checksum" flag in the command 
> line.
> After searching around a bit on the Web and with the help of a coworker, we 
> discovered that the default "warn" setting was mainly there because some 
> repositories were not handling checksums quite well. Issue MNG-339 contains 
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the 
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood 
> of errors and also slightly increase the security of Maven. Corrupted 
> artifacts should not, by default, be used for builds.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to