[
https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17680987#comment-17680987
]
ASF GitHub Bot commented on MWRAPPER-75:
----------------------------------------
raphw commented on PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1404975208
This was the original behavior and I pointed it out in this comment:
https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265742206 - I was
asked to change it here:
https://github.com/apache/maven-wrapper/pull/58#discussion_r985951900
I am more than happy to change this back, but wanted to double-check that
this is wanted now?
> Allow for sha256 checksum verification of downloaded artifacts.
> ---------------------------------------------------------------
>
> Key: MWRAPPER-75
> URL: https://issues.apache.org/jira/browse/MWRAPPER-75
> Project: Maven Wrapper
> Issue Type: Improvement
> Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper
> Scripts
> Reporter: Rafael Winterhalter
> Assignee: Slawomir Jaranowski
> Priority: Normal
> Fix For: 3.2.0
>
>
> Maven Wrapper is downloading binary artifacts that are later executed. To
> prevent from an attack where a vulnerable repository could distribute
> malicious Maven (wrapper) artifacts, the downloaded artifacts should be
> verified against a secure checksum. If the expected checksum does not match,
> execution could be aborted before the potentially compromised artifact is
> executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still
> impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
