[jira] [Commented] (MNG-5728) Switch the default checksum policy from "warn" to "fail"

Tue, 08 Sep 2015 11:52:10 -0700 

    [ 
https://issues.apache.org/jira/browse/MNG-5728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14735383#comment-14735383
 ] 

Michael Osipov commented on MNG-5728:
-------------------------------------

Have you considered to set the appropriate configs and your local Nexus 
instance? In this case Nexus will refuse to serve the broken artifact.

I agree with you that Maven should fail with broken artifacts. You might want 
to raise this issue with the OSSRH mailing list to see how they cope with such 
problem. It would a resolve dicision for this issue way easier. Feel free to 
nag me when 3.4 is around.

> Switch the default checksum policy from "warn" to "fail"
> --------------------------------------------------------
>
>                 Key: MNG-5728
>                 URL: https://issues.apache.org/jira/browse/MNG-5728
>             Project: Maven
>          Issue Type: Improvement
>          Components: Artifacts and Repositories
>            Reporter: Nicolas Juneau
>            Priority: Minor
>
> The default checksum policy when obtaining artifacts during a build is 
> currently, by default, "warn". This seems a bit odd for me since a checksum 
> is usually used to prevent the use of corrupted data.
> Since Maven produces a lot of output (and some IDEs sometimes hide it), it is 
> easy to miss a bad checksum warning. I am aware that there is a 
> checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be 
> defined for all repositories at once. It has to be done either on a 
> per-repository basis or by using the "strict-checksum" flag in the command 
> line.
> After searching around a bit on the Web and with the help of a coworker, we 
> discovered that the default "warn" setting was mainly there because some 
> repositories were not handling checksums quite well. Issue MNG-339 contains 
> some information about this.
> My colleague also chatted briefly with "trygvis" on IRC. Apparently, the 
> default "warn" setting is really there for historical reasons.
> I believe that a default value of "fail" would greatly reduce the likelihood 
> of errors and also slightly increase the security of Maven. Corrupted 
> artifacts should not, by default, be used for builds.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to