I tend to agree that simply displaying a checksum is most likely going
to be ignored. And even if it is looked at .. how would you know from
looking at the checksum if it is the one of the original deployed
artifact in Maven Central or a rebuilt one or a patched one. The
checksum alone will do
Personal opinion only: displaying checksums, even optionally, is
unlikely to be helpful. No one pays attention to these or verifies
them. Recently I actually went to the trouble of verifying the
checksums for a major Apache project and discovered the KEYS file was
borked. No one had noticed for yea
Hi dev list,
I'd like to propose a small enhancement to the maven-dependency-plugin.
>From a Software Composition Analysis (SCA) and security perspective, it's
crucial to verify the exact artifact that has been resolved during a build.
Private or third-party repositories may provide artifacts that
