Tamás Cservenák created MRESOLVER-242:
-----------------------------------------
Summary: When no remote checksums provided by layout, transfer
inevitably fails/warns
Key: MRESOLVER-242
URL: https://issues.apache.org/jira/browse/MRESOLVER-242
Project: Maven Resolver
Issue Type: Bug
Reporter: Tamás Cservenák
On remote transfer, if layout does not provide remote checksums (as Javadoc
states: it MAY return empty collection), remote transfer either WARNs or fails
(if repository policy is WARN of FAIL respectively) always. This is wrong IMHO.
OTOH, layout intentionally does not return remote checksums in some cases, like
GPG signature is, if the default Maven2RepositoryLayoutEx is used.
Hence, this causes that (sub)artifacts like checksums and signatures are NOT
resolvable using resolver, due that above (they are deemed to always fail).
Hence, a proposed solution is:
* change of semantics: when layout does not provide remote checksums, skip
checksum validation of remote checksums (as there is no such thing as "checksum
of a checksum" or in many cases "checksum of a signature").
* make resolver layout "aware" of signatures, just like it is aware of
checksums and make them extensible/configurable
Optionally:
* implement signing/signature verification services
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
