[jira] [Commented] (MNG-5689) Checksum policy for mirrors

Sun, 27 Dec 2020 00:40:06 -0800 


    [ 
https://issues.apache.org/jira/browse/MNG-5689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17255192#comment-17255192
 ] 

Christopher Tubbs commented on MNG-5689:
----------------------------------------

> This is not correct. The mirror is still necessary to catch repositories from 
> POMs which are not in settings.xml. 

It sounds like you're saying that mirrors are still useful if the only thing 
you want to override from repositories in the POMs are the URLs. And, probably 
the most useful one to override is `<mirrorOf>*</mirrorOf>`.

> The mirror inherits the policlies of the repo it mirrors. This makes sense.

I'm not convinced that it makes sense. The POMs should not be the authority on 
how the client behaves when interacting with a repository. The client should 
decide for itself how it wants to treat the checksum failures when interacting 
with that repository (or any of its mirrors).

Even if the default is now strict, a POM could specify a repository that is not 
strict... and the client should be able to override that to force it to be 
strict (or some other setting, although I don't know why anybody would choose 
to use anything other than strict/fail). The client can currently override it 
globally across all repositories, using `-C`, but there's no `settings.xml` 
equivalent to that.

> Checksum policy for mirrors
> ---------------------------
>
>                 Key: MNG-5689
>                 URL: https://issues.apache.org/jira/browse/MNG-5689
>             Project: Maven
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 3.2.3
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
>             Fix For: Issues to be reviewed for 4.x, wontfix-candidate
>
>
> It does not appear that there is any way to configure a checksum policy for 
> mirrors in the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven 
> central. I can configure a mirrorOf central, but I cannot set the checksum 
> policy. This seems like a big oversight.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to