[jira] [Commented] (MRESOLVER-268) Apply artifact checksum verification for any resolved artifact

Thu, 04 Aug 2022 01:47:07 -0700 


    [ 
https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17575129#comment-17575129
 ] 

ASF GitHub Bot commented on MRESOLVER-268:
------------------------------------------

cstamas commented on PR #191:
URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1204954822

   ProvidedChecksumsSource was done to be aligned with other checksum stuff 
(external, inlined and provided) and whole resolver was done in a way that only 
remote transport checks checksums. Before, it was envisioned to have local repo 
"nuked" (hence, CI starts from clean slate), and whatever your build up in 
local repo afterwards is downloaded (will have checksum checked) or was 
produced during build. Naturally, this implies some sort of artifact cache 
(repo manager of any kind).
   
   These days OTOH CIs like GH Actions can and do cache local repository, so 
this change would make sense IMHO.
   
   Still, whole resolver was originally implemented in this spirit (as 
@michael-o explained above), hence this may/will leave inevitable to breakage, 
especially if local repo is shared across projects (so, where "suddenly" 
locally built/installed artifact becomes a dependency).
   
   For me, it "smells" like split repository could come into play, but this is 
still just a hunch/feeling/faint-idea but unsure how and where.




> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
>                 Key: MRESOLVER-268
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-268
>             Project: Maven Resolver
>          Issue Type: Improvement
>            Reporter: Rafael Winterhalter
>            Priority: Major
>
> Maven resolver currently only verifies provided checksums (via 
> ProvidedChecksumsSource) when artifacts are downloaded from a remote 
> repository. While this strategy is efficient when working with a clean local 
> repository, it can create problems if two Maven projects share a local 
> repository, where only one project validates hashes. If the first project has 
> downloaded a corrupted artifact, the second project would now use this 
> corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved. 
> This allows to retain the integrity of a project also when sharing a local 
> Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation 
> policy is defined.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to