[
https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17607767#comment-17607767
]
ASF GitHub Bot commented on MRESOLVER-268:
------------------------------------------
cstamas commented on PR #191:
URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1253752583
My stance with this feature is somewhat aligned with this new feature
https://issues.apache.org/jira/browse/MRESOLVER-274 when it comes to local
repository. Simply put, if you share your local repository across many
(unrelated) builds, you cannot be sure about the state of it (not to mention
possible information leakage as well but let's not mix that in). But the
"quality" of it may become questionable as well.
For me, approach like Github Actions is the correct: you CAN cache local
repo, but that cache is reused only for that very same project, nothing else,
is not shared (for obvious reasons as well).
On CI side, reuse of local repository should really be handled per job or
job group, as ultimately you have the "nuke it and let MRM serve it up", but
yes, it may create nice (hopefully internal, as MRM should be internal) traffic.
Am on edge on this, but this PR is "too much", maybe then some post-resolve
hook (component) and one needing it, may implement a component (and use it as
build extension) that performs the task you need at the cost of overhead
(checksum all resolved artifacts)?
> Apply artifact checksum verification for any resolved artifact
> --------------------------------------------------------------
>
> Key: MRESOLVER-268
> URL: https://issues.apache.org/jira/browse/MRESOLVER-268
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
> Reporter: Rafael Winterhalter
> Assignee: Tamás Cservenák
> Priority: Major
>
> Maven resolver currently only verifies provided checksums (via
> ProvidedChecksumsSource) when artifacts are downloaded from a remote
> repository. While this strategy is efficient when working with a clean local
> repository, it can create problems if two Maven projects share a local
> repository, where only one project validates hashes. If the first project has
> downloaded a corrupted artifact, the second project would now use this
> corrupted artifact despite knowing a non-matching checksum.
> With the proposed change, artifacts are validated whenever they are resolved.
> This allows to retain the integrity of a project also when sharing a local
> Maven repository with other, unsecured projects.
> The current PR only activates this general validation if a global validation
> policy is defined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
