maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason van Zyl (JIRA)" <>
Subject [jira] [Commented] (MNG-5728) Switch the default checksum policy from "warn" to "fail"
Date Fri, 01 Jan 2016 15:50:39 GMT


Jason van Zyl commented on MNG-5728:

So I'll give you some food for thought. This doesn't make Maven more secure, really, but it
would help with artifacts not being downloaded entirely or correctly. It was set to warn for
historical reasons because many artifacts didn't have checksum files deployed. This has been
largely corrected by the submission policy to Maven Central where there has to be checksum
files. Where the cut off point in the past is I'm not sure. I'm also not sure how well organizations
enforce this internally, especially where non-Maven systems are used to deploy. While I agree
it makes sense to be the default I'd like to prevent the potential where in a minor version
change we make a major behavioral change that causes people a lot of grief.

So I'm all for changing this but why don't we throw this in the bucket for 4.x where we make
a other large changes: Java8, massive deprecation removal, removal of Plexus, and anything
where people should know and understand the impact of changing. In this particular case I
think there are more builds than you might expect that would be affected by this change.

That's my take at any rate.

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>                 Key: MNG-5728
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Priority: Minor
> The default checksum policy when obtaining artifacts during a build is currently, by
default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the
use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to
miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but,
unless I am mistaken, it cannot be defined for all repositories at once. It has to be done
either on a per-repository basis or by using the "strict-checksum" flag in the command line.
> After searching around a bit on the Web and with the help of a coworker, we discovered
that the default "warn" setting was mainly there because some repositories were not handling
checksums quite well. Issue MNG-339 contains some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn"
setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood of errors
and also slightly increase the security of Maven. Corrupted artifacts should not, by default,
be used for builds.

This message was sent by Atlassian JIRA

View raw message