[jira] [Commented] (MRESOLVER-265) Discrepancy between produced and recognized checksums

Fri, 24 Jun 2022 07:12:06 -0700 


    [ 
https://issues.apache.org/jira/browse/MRESOLVER-265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558517#comment-17558517
 ] 

ASF GitHub Bot commented on MRESOLVER-265:
------------------------------------------

cstamas commented on PR #187:
URL: https://github.com/apache/maven-resolver/pull/187#issuecomment-1165615965

   > I am pretty sure some older Maven repository implementations (e.g. Nexus2) 
always require MD5/SHA1 (even for sha512 files). Not sure about the 
implications of this change with those repo managers.
   
   I am pretty sure this is not true for deploy (to some hosted repository), is 
it possible you talk about staging maybe? As in that case, Nexus2 (on repo.a.o 
but also OSS.s.o) enforce some things, and yes, I'd expect some strangeness 
here.... but given it's closed source, they should fix it IMHO :smile: 




> Discrepancy between produced and recognized checksums
> -----------------------------------------------------
>
>                 Key: MRESOLVER-265
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-265
>             Project: Maven Resolver
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Tamás Cservenák
>            Priority: Major
>             Fix For: resolver-next, 1.8.2
>
>
> In short: repository layout has member:
> * 
> {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#checksumAlgorithms}}
> That is checksums (as configured by user of default) that will be consumed 
> (on fetch) or produced (publish).
> Now, if we consider "default" configured resolver (checksumAlrgorithms=SHA1, 
> MD5) there is a discrepancy IF ANY OTHER supported but not configured 
> checksum comes in play:
> If a Mojo attaches an artifact having extension ".zip.sha512", resolver will 
> checksum it (w/ {{checksumAlgorithms}} checksums) DESPITE it should know this 
> is a checksum, and "checksum of a checksum" is a nonsense, just makes noise.
> Reason: method 
> {{org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory.Maven2RepositoryLayout#isChecksum}}
>  works with preconfigured checksums only (in our example SHA1 and MS5) and 
> will respond "not a checksum" for SHA512.
> Proposal to fix:
> The method check should NOT be based on {{checksumAlgorithms}} but on "all 
> checksums supported by Resolver".



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to