> >
> > > Personal opinion only: displaying checksums, even optionally, is
> > > unlikely to be helpful. No one pays attention to these or verifies
> > > them. Recently I actually went to the trouble of verifying the
> > > checksums for a major Apache project
Hi dev list,
I'd like to propose a small enhancement to the maven-dependency-plugin.
>From a Software Composition Analysis (SCA) and security perspective, it's
crucial to verify the exact artifact that has been resolved during a build.
Private or third-party repositories may provide artifacts that
