Rafael Winterhalter created MRESOLVER-268:
---------------------------------------------
Summary: Apply artifact checksum verification for any resolved
artifact
Key: MRESOLVER-268
URL: https://issues.apache.org/jira/browse/MRESOLVER-268
Project: Maven Resolver
Issue Type: Improvement
Reporter: Rafael Winterhalter
Maven resolver currently only verifies provided checksums (via
ProvidedChecksumsSource) when artifacts are downloaded from a remote
repository. While this strategy is efficient when working with a clean local
repository, it can create problems if two Maven projects share a local
repository, where only one project validates hashes. If the first project has
downloaded a corrupted artifact, the second project would now use this
corrupted artifact despite knowing a non-matching checksum.
With the proposed change, artifacts are validated whenever they are resolved.
This allows to retain the integrity of a project also when sharing a local
Maven repository with other, unsecured projects.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
