[jira] [Commented] (MRESOLVER-268) Apply artifact checksum verification for any resolved artifact

Wed, 21 Sep 2022 06:42:10 -0700 


    [ 
https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17607759#comment-17607759
 ] 

ASF GitHub Bot commented on MRESOLVER-268:
------------------------------------------

raphw commented on PR #191:
URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1253730059

   As a user, you do not normally have control over the state of your/the build 
server's local repository. A build server might share some mounted folder with 
many nodes to reduce traffic, especially in cloud environments this night be 
implemented to avoid additional traffic. If other builds do not validate the 
checksums and my build will neither as a consequence, then the principal that 
any used artifact can be validated based on locally available information is 
broken. I could still emulate this by using a setting with a fresh repository 
location, but ideally I would want to treat the repository as an untrusted, 
remote server, just like a remote repository, only with the convenience that 
the artifacts are already downloaded.
   
   For this reason I was hoping for an option to evaluate this. If not by 
default, maybe by setting a system property, as allowing for a zero trust 
approach is quite handy. Maybe this system property could also allow for 
generating these checksum files.




> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
>                 Key: MRESOLVER-268
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-268
>             Project: Maven Resolver
>          Issue Type: Improvement
>          Components: Resolver
>            Reporter: Rafael Winterhalter
>            Assignee: Tamás Cservenák
>            Priority: Major
>
> Maven resolver currently only verifies provided checksums (via 
> ProvidedChecksumsSource) when artifacts are downloaded from a remote 
> repository. While this strategy is efficient when working with a clean local 
> repository, it can create problems if two Maven projects share a local 
> repository, where only one project validates hashes. If the first project has 
> downloaded a corrupted artifact, the second project would now use this 
> corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved. 
> This allows to retain the integrity of a project also when sharing a local 
> Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation 
> policy is defined.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to