I tend to agree that simply displaying a checksum is most likely going
to be ignored. And even if it is looked at .. how would you know from
looking at the checksum if it is the one of the original deployed
artifact in Maven Central or a rebuilt one or a patched one. The
checksum alone will do nothing.
What you are actually looking for is a proof of provenance for the
specific artifact. There is no standard tooling around this in and
therefore most (or all) artifacts in Maven Central currently do not
include that sort of info (SBOM, provenance, build receipt, and such).
If a standard approach were to be agreed upon and then it would be
implemented in the main plugins thats a different story (and potentially
a LOT of work).
So for Calum - you would have to specify more what you want to achieve,
figure out a plan and then work on implementation.
Manfred
On 2025-07-10 3:54 p.m., Elliotte Rusty Harold wrote:
Personal opinion only: displaying checksums, even optionally, is
unlikely to be helpful. No one pays attention to these or verifies
them. Recently I actually went to the trouble of verifying the
checksums for a major Apache project and discovered the KEYS file was
borked. No one had noticed for years. Checksums need to be verified
automatically. Adding code to support manual verification is security
theater and a waste of time.
On Thu, Jul 10, 2025 at 6:18 PM Calum Harrison
<calum.harri...@snyk.io.invalid> wrote:
Hi dev list,
I'd like to propose a small enhancement to the maven-dependency-plugin.
From a Software Composition Analysis (SCA) and security perspective, it's
crucial to verify the exact artifact that has been resolved during a build.
Private or third-party repositories may provide artifacts that have been
patched or altered but retain the same GAV (GroupId, ArtifactId, Version)
coordinates. This makes identifying the specific artifact provenance a
challenge.
Would the team consider adding an optional flag (e.g., -DshowChecksums) to
commands like dependency:tree and dependency:list that would display the
SHA-1 hash of the resolved artifact?
This would provide a simple, standardized way to verify artifact integrity
without relying on third-party plugins, which are often restricted in
corporate environments.
Is this functionality something that would be within the scope of the
maven-dependency-plugin, or would it be better suited for another plugin or
Maven core itself?
Thanks,
Calum
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
