maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (MNG-5728) Switch the default checksum policy from "warn" to "fail"
Date Tue, 26 Sep 2017 20:17:00 GMT


Christopher Tubbs commented on MNG-5728:

Would love to see this. Saw a colleague just waste several hours on fixing what he thought
to be a classloader issue in a maven plugin, when it was really just a corrupted jar file
(presumably because of a bad internet connection).

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>                 Key: MNG-5728
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Priority: Minor
>             Fix For: Issues to be reviewed for 4.x
> The default checksum policy when obtaining artifacts during a build is currently, by
default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the
use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to
miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but,
unless I am mistaken, it cannot be defined for all repositories at once. It has to be done
either on a per-repository basis or by using the "strict-checksum" flag in the command line.
> After searching around a bit on the Web and with the help of a coworker, we discovered
that the default "warn" setting was mainly there because some repositories were not handling
checksums quite well. Issue MNG-339 contains some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn"
setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood of errors
and also slightly increase the security of Maven. Corrupted artifacts should not, by default,
be used for builds.

This message was sent by Atlassian JIRA

View raw message