[
https://issues.apache.org/jira/browse/MNG-5689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17255317#comment-17255317
]
Michael Osipov commented on MNG-5689:
-------------------------------------
> > This is not correct. The mirror is still necessary to catch repositories
> > from POMs which are not in settings.xml.
>
> It sounds like you're saying that mirrors are still useful if the only thing
> you want to override from repositories in the POMs are the URLs. And,
> probably the most useful one to override is `<mirrorOf>*</mirrorOf>`.
Correct, that's the sole purpose of a mirror. If you look into Maven's code you
see that only the URL is swapped. No additional logic so far.
{code:java}
private void injectMirror( ArtifactRepository repository, Mirror mirror )
{
if ( mirror != null )
{
ArtifactRepository original =
createArtifactRepository( repository.getId(),
repository.getUrl(), repository.getLayout(),
repository.getSnapshots(),
repository.getReleases() );
repository.setMirroredRepositories( Collections.singletonList(
original ) );
repository.setId( mirror.getId() );
repository.setUrl( mirror.getUrl() );
if ( StringUtils.isNotEmpty( mirror.getLayout() ) )
{
repository.setLayout( getLayout( mirror.getLayout() ) );
}
}
}
{code}
> > The mirror inherits the policlies of the repo it mirrors. This makes sense.
>
> I'm not convinced that it makes sense. The POMs should not be the authority
> on how the client behaves when interacting with a repository. The client
> should decide for itself how it wants to treat the checksum failures when
> interacting with that repository (or any of its mirrors).
This wouldn't be a mirror anymore, but anything else would show a distored
picture and not behave as the original one. The purpose of a mirror is to trust
it as the original one. No more, no less.
> Even if the default is now strict, a POM could specify a repository that is
> not strict... and the client should be able to override that to force it to
> be strict (or some other setting, although I don't know why anybody would
> choose to use anything other than strict/fail). The client can currently
> override it globally across all repositories, using `-C`, but there's no
> `settings.xml` equivalent to that.
There is a good reason why we say not to put repos into a POM. But I see your
point to some degree.
> Checksum policy for mirrors
> ---------------------------
>
> Key: MNG-5689
> URL: https://issues.apache.org/jira/browse/MNG-5689
> Project: Maven
> Issue Type: Improvement
> Components: Settings
> Affects Versions: 3.2.3
> Reporter: Christopher Tubbs
> Priority: Major
> Labels: security-issue
> Fix For: Issues to be reviewed for 4.x, wontfix-candidate
>
>
> It does not appear that there is any way to configure a checksum policy for
> mirrors in the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven
> central. I can configure a mirrorOf central, but I cannot set the checksum
> policy. This seems like a big oversight.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
