As will all things Maven and Central, we must consider the long tail
of versions in use. It's not going to work to flip a switch and fork
the community over updated hashes. Instead the role of Maven here
should be first to enable the new hashes but it shouldn't blow up if a
given upstream tool
Am 2020-05-31 um 17:19 schrieb Robert Scholte:
hi,
I would be great if Sonatype could lead this request.
It seems like a similar process compared to the TLSv1.2 requirement and the
drop of http
They have the best overview in how to handle the switch to different hashes.
You can already start
Here is the PR draft: https://github.com/apache/maven-resolver/pull/52
Feel free to review
-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
I also think a phase parallel rollout would be more useful, also
consider lots of projects still won't upgrade to java 8 because they
want to maintain backwards compatibility.
1. maven 3.7.0 add support for list of hashes, valid list, warning
list and banned list
2. maven 3.7.0 add sha-2 and
Am 2020-05-31 um 18:46 schrieb Maarten Mulders:
Hi,
It's great to see support for more secure hashing algorithms coming.
At the risk of suggesting something that is already there, or is just
not feasible... Wouldn't it be possible to have a smoother transition by
allowing multiple hashes at
Hi,
It's great to see support for more secure hashing algorithms coming.
At the risk of suggesting something that is already there, or is just
not feasible... Wouldn't it be possible to have a smoother transition by
allowing multiple hashes at the same time?
When resolving, if there is a
hi,
I would be great if Sonatype could lead this request.
It seems like a similar process compared to the TLSv1.2 requirement and the
drop of http
They have the best overview in how to handle the switch to different hashes.
You can already start with #1, but until then I would be careful with #2
Folks,
I have been recently (indirectly) approached by Mark Thomas for the
Tomcat committers that he wants to provide SHA-2 hashes for all uploaded
Tomcat artifacts in Central. Since Nexus 2.14.18 supports this properly
for validation, I have picked up MRESOLVER-56 and asked for testing.