Personal opinion only: displaying checksums, even optionally, is unlikely to be helpful. No one pays attention to these or verifies them. Recently I actually went to the trouble of verifying the checksums for a major Apache project and discovered the KEYS file was borked. No one had noticed for years. Checksums need to be verified automatically. Adding code to support manual verification is security theater and a waste of time.
On Thu, Jul 10, 2025 at 6:18 PM Calum Harrison <calum.harri...@snyk.io.invalid> wrote: > > Hi dev list, > > I'd like to propose a small enhancement to the maven-dependency-plugin. > From a Software Composition Analysis (SCA) and security perspective, it's > crucial to verify the exact artifact that has been resolved during a build. > Private or third-party repositories may provide artifacts that have been > patched or altered but retain the same GAV (GroupId, ArtifactId, Version) > coordinates. This makes identifying the specific artifact provenance a > challenge. > > Would the team consider adding an optional flag (e.g., -DshowChecksums) to > commands like dependency:tree and dependency:list that would display the > SHA-1 hash of the resolved artifact? > This would provide a simple, standardized way to verify artifact integrity > without relying on third-party plugins, which are often restricted in > corporate environments. > > Is this functionality something that would be within the scope of the > maven-dependency-plugin, or would it be better suited for another plugin or > Maven core itself? > > Thanks, > Calum -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
