[
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14735355#comment-14735355
]
Nicolas Juneau commented on MNG-5728:
-------------------------------------
Hello Michael,
Thank you for your comment. I agree that if the artifact cannot be modified or
updated by the developer trying to use said artifact, fixing it can be harder
especially if the maintainer cannot be reached. Then again, _by default_, I
don't see a reason for the build to continue without failure. While this may
not cause a compilation failure per-se, we cannot predict the effects that it
will have on runtime, especially if the checksum failure is the result of an
artifact being tampered with.
I can appreciate the usage of the "checksumPolicy" tag or "-c" flag to make
checksum checking lax in cases where I specifically _trust_ that checksums
aren't important, but should it be the _default_? That being said, you are
absolutely right that changing default behaviour isn't probably a good thing to
do in a patch version.
> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
> Key: MNG-5728
> URL: https://issues.apache.org/jira/browse/MNG-5728
> Project: Maven
> Issue Type: Improvement
> Components: Artifacts and Repositories
> Reporter: Nicolas Juneau
> Priority: Minor
>
> The default checksum policy when obtaining artifacts during a build is
> currently, by default, "warn". This seems a bit odd for me since a checksum
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is
> easy to miss a bad checksum warning. I am aware that there is a
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be
> defined for all repositories at once. It has to be done either on a
> per-repository basis or by using the "strict-checksum" flag in the command
> line.
> After searching around a bit on the Web and with the help of a coworker, we
> discovered that the default "warn" setting was mainly there because some
> repositories were not handling checksums quite well. Issue MNG-339 contains
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood
> of errors and also slightly increase the security of Maven. Corrupted
> artifacts should not, by default, be used for builds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
