[
https://issues.apache.org/jira/browse/MNG-5689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16403304#comment-16403304
]
Christopher Tubbs commented on MNG-5689:
----------------------------------------
I would encourage the Maven community to consider addressing this issue. The
inability to enforce a strict checksum policy means that it is that much harder
to detect corrupt artifacts. This could be viewed as a security issue, in the
case where artifacts are intentionally corrupted by a man-in-the-middle attack
to inject vulerable code when the downloaded library is used, or as a denial of
service attack, to prevent software from building or running because it cannot
download working dependent software libraries. I realize, of course, that the
checksum policy has only a limited ability to prevent such security problems
(because the checksums are stored "in-band" with the artifacts themselves, and
anybody able to manipulate the artifacts could also manipulate the checksums),
but I still think it's better for users to be able to have *some* kind of
assurances from the server that the artifacts haven't been altered in transit.
> Checksum policy for mirrors
> ---------------------------
>
> Key: MNG-5689
> URL: https://issues.apache.org/jira/browse/MNG-5689
> Project: Maven
> Issue Type: Improvement
> Components: Settings
> Affects Versions: 3.2.3
> Reporter: Christopher Tubbs
> Priority: Major
> Labels: security-issue
>
> It does not appear that there is any way to configure a checksum policy for
> mirrors in the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven
> central. I can configure a mirrorOf central, but I cannot set the checksum
> policy. This seems like a big oversight.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
