[ https://issues.apache.org/jira/browse/MWRAPPER-93?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tamas Cservenak reassigned MWRAPPER-93: --------------------------------------- Assignee: Tamas Cservenak > Distribution sha256 checksum not validated if the zip file was downloaded > previously > ------------------------------------------------------------------------------------ > > Key: MWRAPPER-93 > URL: https://issues.apache.org/jira/browse/MWRAPPER-93 > Project: Maven Wrapper > Issue Type: Bug > Components: Maven Wrapper Jar > Affects Versions: 3.2.0 > Reporter: Jorge Solórzano > Assignee: Tamas Cservenak > Priority: Major > Fix For: 3.3.0 > > > If I make a first run without *distributionSha256Sum*, the Maven distribution > will be downloaded without any checksum, this is the normal behavior. > But if I later add the *distributionSha256Sum* to the > maven-wrapper.properties file, having downloaded previously the distribution, > the checksum is not verified, I consider this a bug since even if the > distribution is already downloaded and unpacked it could contain a > compromised download. > The options *alwaysUnpack* and *alwaysDownload* triggers the verification and > provides an extra layer of security, but normally the local zip should be > verified always if the *distributionSha256Sum* is set. -- This message was sent by Atlassian Jira (v8.20.10#820010)