On 7/11/25 7:26 AM, Calum Harrison wrote:
"Trusted Checksums" is good to know about -- I had missed that.
It's very easy to miss!
I came across it accidentally myself rather recently. I was
participating in this issue:
[MNG-6026] Extend the Project Object Model (POM) with trust information
(OpenPGP, hash values) #7858
https://github.com/apache/maven/issues/7858
but I missed the post by Tamás Cservenák that announced it:
Maven OOTB provides: trusted checksums ...
https://github.com/apache/maven/issues/7858#issuecomment-3041224404
Gradle has had similar dependency verification for some time:
Verifying dependencies
https://docs.gradle.org/current/userguide/dependency_verification.html
The corresponding Maven documentation is found at the link below. The
Maven page looks more like an internal design document, which is
important, but we're missing a good description of the end-user interface.
Expected Checksums
https://maven.apache.org/resolver/expected-checksums.html
This is a long-awaited major new feature and enhancement. It seems that
very few users of Maven are aware of it.
John
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
