[
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14735506#comment-14735506
]
Nicolas Juneau commented on MNG-5728:
-------------------------------------
In case you are wondering how I came into experiencing this issue, I don't have
the specific artifacts that were corrupted (it's been almost a year - I don't
quite recall which ones were failing).
I became aware of the corrupt artifacts because I was having build failures
where others did not (using the same code base and compiler). It was after a
bit of investigation that I realized that some developers were not always
setting their checksum policy in their settings. Since, like I said, Maven
produces a lot of output or, in case of builds managed by m2e, almost none, it
was pretty easy to miss the fact that some potentially corrupted artifacts were
used in builds. Newer, intact versions of artifacts were produced upstream so
we didn't have to do any special configuration on our side to fix the problem,
but if it wasn't of careful examination of the output logs, this could easily
have gone without notice. I now strongly recommend to alias "mvn" to "mvn -C"
and set the checksum policy to fail in order to prevent that kind of problems.
> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
> Key: MNG-5728
> URL: https://issues.apache.org/jira/browse/MNG-5728
> Project: Maven
> Issue Type: Improvement
> Components: Artifacts and Repositories
> Reporter: Nicolas Juneau
> Priority: Minor
>
> The default checksum policy when obtaining artifacts during a build is
> currently, by default, "warn". This seems a bit odd for me since a checksum
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is
> easy to miss a bad checksum warning. I am aware that there is a
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be
> defined for all repositories at once. It has to be done either on a
> per-repository basis or by using the "strict-checksum" flag in the command
> line.
> After searching around a bit on the Web and with the help of a coworker, we
> discovered that the default "warn" setting was mainly there because some
> repositories were not handling checksums quite well. Issue MNG-339 contains
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood
> of errors and also slightly increase the security of Maven. Corrupted
> artifacts should not, by default, be used for builds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
