Maven 4 comes with --strict-checksums on by default. Do i understand correctly that this protection only applies for dependencies that have previously been downloaded? And that there's value in implementing something like https://github.com/chains-project/maven-lockfile or https://github.com/vandmo/dependency-lock-maven-plugin ?
Thanks, Delany
