[
https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17607792#comment-17607792
]
ASF GitHub Bot commented on MRESOLVER-268:
------------------------------------------
cstamas commented on PR #191:
URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1253819047
Just an example of "post hook" that would allow you to do this in extension.
But that very same extension may "wrap" DefaultArtifactResolver and just do
whatever you want (checksum check). Still, implementation should be aware of
container (sisu, vanilla Guice or SL)...
https://github.com/apache/maven-resolver/compare/master...cstamas:maven-resolver:post-resolve-hook?expand=1
> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
> Key: MRESOLVER-268
> URL: https://issues.apache.org/jira/browse/MRESOLVER-268
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
> Reporter: Rafael Winterhalter
> Assignee: Tamás Cservenák
> Priority: Major
>
> Maven resolver currently only verifies provided checksums (via
> ProvidedChecksumsSource) when artifacts are downloaded from a remote
> repository. While this strategy is efficient when working with a clean local
> repository, it can create problems if two Maven projects share a local
> repository, where only one project validates hashes. If the first project has
> downloaded a corrupted artifact, the second project would now use this
> corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved.
> This allows to retain the integrity of a project also when sharing a local
> Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation
> policy is defined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
