[ https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574763#comment-17574763 ]
ASF GitHub Bot commented on MRESOLVER-268: ------------------------------------------ michael-o commented on PR #191: URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1204085399 This should not be default for two reasons: * It will apply a significal computational overhead * Artifacts which have been locally installied don't have checksums at all > Apply artifact checksum verification for any resolved artifact > -------------------------------------------------------------- > > Key: MRESOLVER-268 > URL: https://issues.apache.org/jira/browse/MRESOLVER-268 > Project: Maven Resolver > Issue Type: Improvement > Reporter: Rafael Winterhalter > Priority: Major > > Maven resolver currently only verifies provided checksums (via > ProvidedChecksumsSource) when artifacts are downloaded from a remote > repository. While this strategy is efficient when working with a clean local > repository, it can create problems if two Maven projects share a local > repository, where only one project validates hashes. If the first project has > downloaded a corrupted artifact, the second project would now use this > corrupted artifact despite knowing a non-matching checksum. > With the proposed change, artifacts are validated whenever they are resolved. > This allows to retain the integrity of a project also when sharing a local > Maven repository with other, unsecured projects. > The current PR only activates this general validation if a global validation > policy is defined. -- This message was sent by Atlassian Jira (v8.20.10#820010)