[
https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated MRESOLVER-56:
-------------------------------------
Description:
As both supported checksums on remote repositories (namely MD5 and SHA1) have
known flaws it would be nice if the Maven Resolver could also leverage other
hashes like SHA256 and SHA512.
Although those hashes aren't part of the official Maven 2 repository layout
(https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
couldn't find any newer/other spec) I don't see how an additional {{.sha256}}
or {{.sha512}} file could introduce backwards compatibility issues with older
clients.
I think this namely would mean you would also return SHA512 and SHA256 if they
exist and leverage if they are supported by the JRE. The longer the hash the
better it is, therefore the hashes should be checked in the following order
# SHA512
# SHA256
# SHA1
# MD5
This would need to be considered in the API within
https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
and
https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.
was:
As both supported checksums on remote repositories (namely MD5 and SHA1 have
known flaws) it would be nice if the Maven Resolver could also leverage other
hashes like SHA256 and SHA512.
Although those hashes aren't part of the official Maven 2 repository layout
(https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
couldn't find any newer/other spec) I don't see how an additional .SHA256 file
could introduce backwards compatibility issues with older clients.
I think this namely would mean you would also return SHA512 and SHA256 if they
exist and leverage if they are supported by the JRE. The longer the hash the
better it is, therefore the hashes should be checked in the following order
# SHA512
# SHA256
# SHA1
# MD5
This would need to be considered in the API within
https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
and
https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.
> Support SHA256 and SHA512 as hashes
> -----------------------------------
>
> Key: MRESOLVER-56
> URL: https://issues.apache.org/jira/browse/MRESOLVER-56
> Project: Maven Resolver
> Issue Type: Improvement
> Components: resolver
> Affects Versions: Maven Artifact Resolver 1.1.1
> Reporter: Konrad Windszus
> Priority: Major
>
> As both supported checksums on remote repositories (namely MD5 and SHA1) have
> known flaws it would be nice if the Maven Resolver could also leverage other
> hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout
> (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
> couldn't find any newer/other spec) I don't see how an additional
> {{.sha256}} or {{.sha512}} file could introduce backwards compatibility
> issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if
> they exist and leverage if they are supported by the JRE. The longer the hash
> the better it is, therefore the hashes should be checked in the following
> order
> # SHA512
> # SHA256
> # SHA1
> # MD5
> This would need to be considered in the API within
> https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
> and
> https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
