[
https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574763#comment-17574763
]
ASF GitHub Bot commented on MRESOLVER-268:
------------------------------------------
michael-o commented on PR #191:
URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1204085399
This should not be default for two reasons:
* It will apply a significal computational overhead
* Artifacts which have been locally installied don't have checksums at all
> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
> Key: MRESOLVER-268
> URL: https://issues.apache.org/jira/browse/MRESOLVER-268
> Project: Maven Resolver
> Issue Type: Improvement
> Reporter: Rafael Winterhalter
> Priority: Major
>
> Maven resolver currently only verifies provided checksums (via
> ProvidedChecksumsSource) when artifacts are downloaded from a remote
> repository. While this strategy is efficient when working with a clean local
> repository, it can create problems if two Maven projects share a local
> repository, where only one project validates hashes. If the first project has
> downloaded a corrupted artifact, the second project would now use this
> corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved.
> This allows to retain the integrity of a project also when sharing a local
> Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation
> policy is defined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
