[
https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov reassigned MRESOLVER-56:
---------------------------------------
Assignee: Michael Osipov
> Support SHA-256 and SHA-512 as checksums
> ----------------------------------------
>
> Key: MRESOLVER-56
> URL: https://issues.apache.org/jira/browse/MRESOLVER-56
> Project: Maven Resolver
> Issue Type: Improvement
> Components: resolver
> Affects Versions: Maven Artifact Resolver 1.1.1
> Reporter: Konrad Windszus
> Assignee: Michael Osipov
> Priority: Major
>
> As both supported checksums on remote repositories (namely MD5 and SHA1) have
> known flaws it would be nice if the Maven Resolver could also leverage other
> hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout
> (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
> couldn't find any newer/other spec) I don't see how an additional
> {{.sha256}} or {{.sha512}} file could introduce backwards compatibility
> issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if
> they exist and leverage if they are supported by the JRE. The longer the hash
> the better it is, therefore the hashes should be checked in the following
> order
> # SHA512
> # SHA256
> # SHA1
> # MD5
> This would need to be considered in the API within
> https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L165
> and
> https://github.com/apache/maven-resolver/blob/0c2373f6c66f20953b1a7e443ea1de8672d1b072/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/connector/layout/RepositoryLayout.java#L178.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
