My view is that the artifact checksums deployed have nothing to do with security, but just a way for Maven to verify that the download was ok. It's not verifying that it's the *correct* (valid) artifact that was downloaded.
The apache link you're refering to talks about release signatures, not artifact checksum files. md5 or sha1 should be suifficient for artifact checksums. /Anders On Mon, Dec 5, 2016 at 1:56 AM, John Patrick <nhoj.patr...@gmail.com> wrote: > Hiya, > > So currently checksum's are not generated by default... I've submitted > a ticket which switched the install plugin to generate them by > default. > > Next step stop using md5 which most have considered dead for several > years, and checking apache > (https://www.apache.org/dev/release-signing.html) sha512 should be > being used. > > So either; > 1) add support so md5, sha1, sha256 and sha512 are all generated > 2) plugin defines which is generated > 3) plugin defines a list which are generated > 4) settings.xml defines which is generated > 5) settings.xml defines a list which are generated? > > Thoughts??? > > Next; > Currently when downloading we have ignore, warn or error if checksum's > don't match. I propose adding a checksum min level options? i.e. allow > MD5 > SHA1, SHA256 > SHA512 > > So; > 1) Default to MD5 > 2) Wait till all maven plugins deploy a sha512 to central > 3) Switch default to SHA512 > > What are developers thoughts? > What staged steps should this be merged as? > > I would like to start helping getting the core maven and all of it's > dependencies more secure so people can start trusting maven is secure > by default as I get the feeling isn't at the moment. > > Cheers, > John > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
