[jira] [Commented] (MNG-5728) Switch the default checksum policy from "warn" to "fail"

Fri, 27 Nov 2020 07:53:35 -0800 


    [ 
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17239748#comment-17239748
 ] 

Robert Scholte commented on MNG-5728:
-------------------------------------

I think this PR fixes this at the wrong place. Instead I believe we need to 
change the default for repository, see 
https://maven.apache.org/ref/3.6.3/maven-model/maven.html#class_releases.
While trying to fix the integration tests, I stumbled upon 
https://github.com/apache/maven-integration-testing/blob/master/core-it-suite/src/test/resources/mng-3769/settings-template.xml
 where the repo is explicitly set to 'ignore'. To me this should be the most 
important value if you don't specify it from commandline.


> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
>                 Key: MNG-5728
>                 URL: https://issues.apache.org/jira/browse/MNG-5728
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Assignee: Robert Scholte
>            Priority: Minor
>             Fix For: 4.0.x-candidate
>
>
> The default checksum policy when obtaining artifacts during a build is 
> currently, by default, "warn". This seems a bit odd for me since a checksum 
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is 
> easy to miss a bad checksum warning. I am aware that there is a 
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be 
> defined for all repositories at once. It has to be done either on a 
> per-repository basis or by using the "strict-checksum" flag in the command 
> line.
> After searching around a bit on the Web and with the help of a coworker, we 
> discovered that the default "warn" setting was mainly there because some 
> repositories were not handling checksums quite well. Issue MNG-339 contains 
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the 
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood 
> of errors and also slightly increase the security of Maven. Corrupted 
> artifacts should not, by default, be used for builds.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to