[jira] [Commented] (MRESOLVER-268) Apply artifact checksum verification for any resolved artifact

Wed, 21 Sep 2022 03:26:14 -0700 


    [ 
https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17607666#comment-17607666
 ] 

ASF GitHub Bot commented on MRESOLVER-268:
------------------------------------------

cstamas commented on PR #191:
URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1253506892

   After reviewing the intent from 
https://issues.apache.org/jira/browse/MRESOLVER-268 ("to retain the integrity 
of a project also when sharing a local Maven repository with other, unsecured 
projects"), I'd call this somewhat a too "edgy" use case, partially due already 
mentioned fact, that installed artifacts have no checksums installed, only 
downloaded ones have them. Hence, if two or more (unrelated) projects share 
same local repository, the checksum-less artifact installed by one may become a 
"foreign" dependency in another. Also, as this PR does, checksumming (over and 
over again) ALL resolved files, it is too much overhead IMHO.
   
   Am putting this PR "on hold", to have a discussion about this. Personally, 
am on side to keep "provided checksums" what they are meant to be: **third type 
of transport checksums**. This seems to me like some sort of misuse of them.




> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
>                 Key: MRESOLVER-268
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-268
>             Project: Maven Resolver
>          Issue Type: Improvement
>          Components: Resolver
>            Reporter: Rafael Winterhalter
>            Assignee: Tamás Cservenák
>            Priority: Major
>             Fix For: resolver-next
>
>
> Maven resolver currently only verifies provided checksums (via 
> ProvidedChecksumsSource) when artifacts are downloaded from a remote 
> repository. While this strategy is efficient when working with a clean local 
> repository, it can create problems if two Maven projects share a local 
> repository, where only one project validates hashes. If the first project has 
> downloaded a corrupted artifact, the second project would now use this 
> corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved. 
> This allows to retain the integrity of a project also when sharing a local 
> Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation 
> policy is defined.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to