[I] WarnChecksumPolicy.onNoMoreChecksums() throws like fail policy on missing checksums [maven-resolver]

[via GitHub]

ascheman opened a new issue, #1920:
URL: https://github.com/apache/maven-resolver/issues/1920

   ## Behavior
   
   When a remote repository transfer yields no checksum data (the artifact is
   fetched but neither `.sha1` nor `.md5` companion exists for the resource),
   `AbstractChecksumPolicy.onNoMoreChecksums()` raises a
   `ChecksumFailureException` unconditionally:
   
   ```java
   @Override
   public void onNoMoreChecksums() throws ChecksumFailureException {
       throw new ChecksumFailureException("Checksum validation failed, no 
checksums available");
   }
   ```
   
   `WarnChecksumPolicy` and `FailChecksumPolicy` inherit this method without
   overriding it, so `warn` raises the same hard exception as `fail` in this
   code path. The current behavior is pinned by
   `WarnChecksumPolicyTest.testOnNoMoreChecksums`, so it is intentional /
   documented state — but the consequence for users is that only
   `<checksumPolicy>ignore</checksumPolicy>` effectively lets transfers proceed
   when checksum data is absent, regardless of how the policy is named.
   
   ## Where this matters in practice
   
   The `file://` test-fixture pattern hits this every time. Apache plugins have
   been working around it by setting `<checksumPolicy>ignore</checksumPolicy>`
   in `src/it[/mrm]/settings.xml`. Snapshot from
   `gh api search/code` 2026-06-10:
   
   **Added during Maven 4 API migration (June 2024)**
   
   - apache/maven-clean-plugin — 
[`2da14745`](https://github.com/apache/maven-clean-plugin/commit/2da147458800dfe9ecc24865aef0e718ac56df57)
 (apache/maven-clean-plugin#20)
   - apache/maven-compiler-plugin — 
[`9dc957dc`](https://github.com/apache/maven-compiler-plugin/commit/9dc957dc55f8a0baeef423084a95769f92951047)
   - apache/maven-deploy-plugin — 
[`88ce1593`](https://github.com/apache/maven-deploy-plugin/commit/88ce1593800015ac41e61f3c78d9b4d0ecb97460)
   - apache/maven-project-info-reports-plugin — 
[`a44cc8ab`](https://github.com/apache/maven-project-info-reports-plugin/commit/a44cc8ab44dda25c08d658666e0b2dadf826f93d)
 (apache/maven-project-info-reports-plugin#70)
   - apache/maven-resources-plugin — 
[`3716fc1a`](https://github.com/apache/maven-resources-plugin/commit/3716fc1aa45d0a33e19f7f4e528a5a6b7b6dbb67)
 (apache/maven-resources-plugin#35)
   
   The five June-2024 commits cluster within 17 days and four of their subject
   lines explicitly read "Switch to Maven 4 API". This is the strongest
   empirical signal that Maven 4 / Resolver 2.x made the workaround materially
   more common.
   
   **Long-standing (pre Maven 4) for `file://` + mock-repository-manager IT 
setups**
   
   - apache/maven-dependency-plugin (2014) — 
[`1eef3011`](https://github.com/apache/maven-dependency-plugin/commit/1eef3011318846808108636aa5c0f071b9fc09f0)
   - apache/maven-jlink-plugin (2017) — 
[`56c529d6`](https://github.com/apache/maven-jlink-plugin/commit/56c529d648d77c8b83d69ee53e7a114b533e3b60)
   - apache/maven-site-plugin (2019) — 
[`45afac34`](https://github.com/apache/maven-site-plugin/commit/45afac342f1cf88db086f63aad81be06aa7770d8)
   - apache/maven-shade-plugin (2020) — 
[`52c476a9`](https://github.com/apache/maven-shade-plugin/commit/52c476a9acf8c9af03d04a29f33ced905906275c)
   - apache/maven-scripting-plugin (2021) — 
[`028a9003`](https://github.com/apache/maven-scripting-plugin/commit/028a9003433ade64782ab9c13ae5c679f003f3e3)
   - apache/maven-install-plugin (2022) — 
[`ce0666e4`](https://github.com/apache/maven-install-plugin/commit/ce0666e4220514e99a9384300981d2b50223b265)
   
   The pattern has been needed for `file://` IT fixtures since at least 2014,
   which is the same underlying reason — the layout expects checksums, the
   file system does not provide them.
   
   The latest example landed today as apache/maven-ear-plugin#505 (Maven 4
   rc-5 IT compatibility), bringing the total to 12 plugins shipping the same
   line.
   
   ## Related
   
   - #1366 (MRESOLVER-242): @cstamas 2022 raised the analogous concern for
     layout-omitted remote checksums. The patch addressed `.asc` / GPG
     signature handling but did not extend to the "missing on disk despite
     layout expecting checksums" case that drives the workaround above.
   - #1782 / #1784 "Better checksum control" — adjacent design area.
   - #1917 "Checksums: lack of information" — adjacent.
   
   ## Scope of this issue
   
   This is a behavior observation plus cross-plugin evidence. Solution
   proposals will be raised separately on `d...@maven.apache.org` so the
   design discussion happens with the right audience and the issue stays
   focused on the empirical signal.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org