Excellent news on the trusted checksums feature! As this appears to be
provided by Maven itself (in 3.9 onward?), is this the recommended way for
teams to version Maven checksums in git? If so, is more documentation
planned/needed?
Perhaps what is missing in maven-dependency-plugin is machine-read
And one more thing:
On a related note (globally, not TC related directly), in Maven 4
(Resolver 2) we have much greater control over connectors, see
https://github.com/apache/maven-resolver/issues/1361
And as the issue shows, "signature checking" connector is about to
arrive soon(ish).
And this a
Howdy,
Yes, sadly we (project) are very bad at "advertising" and "properly
documenting" things. Sorry about that.
Trusted checksums is in fact SPI and one can plug in various sources
(while resolver contains some "basic" implementations). This is a very
similar setup as with Remote Repository Fi
On 7/11/25 7:26 AM, Calum Harrison wrote:
"Trusted Checksums" is good to know about -- I had missed that.
It's very easy to miss!
I came across it accidentally myself rather recently. I was
participating in this issue:
[MNG-6026] Extend the Project Object Model (POM) with trust information
Hi,
You are all fundamentally correct:
Just printing the checksums is of course insufficient. For large projects,
it would just be noise. The aim would be for the hashes to be consumed by
downstream systems. `maven-dependency-plugin` seemed to me one of the more
natural places to provide this fun
Howdy,
The proposal is kinda wrong, for starters as dependency:tree collects
dependencies but does not resolve them.
Without resolution, the artifacts in question may not be even present
on disk, so what gives?
But, as a counter "proposal", I toyed with the Toolbox project, which
already was able
Hi,
There is a "Trusted Checksums"
https://maven.apache.org/resolver/expected-checksums.html
We can store / record checksums in the project file and use it next time.
Here is a demo project with "Trusted Checksums"
https://github.com/cstamas/tc-demo
On Fri, 11 Jul 2025 at 00:55, Elliotte Rus
I tend to agree that simply displaying a checksum is most likely going
to be ignored. And even if it is looked at .. how would you know from
looking at the checksum if it is the one of the original deployed
artifact in Maven Central or a rebuilt one or a patched one. The
checksum alone will do
Personal opinion only: displaying checksums, even optionally, is
unlikely to be helpful. No one pays attention to these or verifies
them. Recently I actually went to the trouble of verifying the
checksums for a major Apache project and discovered the KEYS file was
borked. No one had noticed for yea
Hi dev list,
I'd like to propose a small enhancement to the maven-dependency-plugin.
>From a Software Composition Analysis (SCA) and security perspective, it's
crucial to verify the exact artifact that has been resolved during a build.
Private or third-party repositories may provide artifacts that
10 matches
Mail list logo
