[jira] [Commented] (MNG-5689) Checksum policy for mirrors

Christopher Tubbs (JIRA) Mon, 19 Mar 2018 13:05:17 -0700

    [ 
https://issues.apache.org/jira/browse/MNG-5689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16405353#comment-16405353
 ]


Christopher Tubbs commented on MNG-5689:
----------------------------------------

According to https://maven.apache.org/settings.html repositories can be 
configured (in settings.xml or pom.xml) like:

{code}
      <repositories>
        <repository>
          <id>codehausSnapshots</id>
          <name>Codehaus Snapshots</name>
          <releases>
            <enabled>false</enabled>
            <updatePolicy>always</updatePolicy>
            <checksumPolicy>warn</checksumPolicy>
          </releases>
          <snapshots>
            <enabled>true</enabled>
            <updatePolicy>never</updatePolicy>
            <checksumPolicy>fail</checksumPolicy>
          </snapshots>
          <url>http://snapshots.maven.codehaus.org/maven2</url>
          <layout>default</layout>
        </repository>
      </repositories>
{code}

However, mirrors can only specify (in settings.xml):

{code}
  <mirrors>
    <mirror>
      <id>planetmirror.com</id>
      <name>PlanetMirror Australia</name>
      <url>http://downloads.planetmirror.com/pub/maven2</url>
      <mirrorOf>central</mirrorOf>
    </mirror>
  </mirrors>
{code}

Mirrors should have the additional options missing:
{code}
          <releases>
            <enabled>false</enabled>
            <updatePolicy>always</updatePolicy>
            <checksumPolicy>warn</checksumPolicy>
          </releases>
          <snapshots>
            <enabled>true</enabled>
            <updatePolicy>never</updatePolicy>
            <checksumPolicy>fail</checksumPolicy>
          </snapshots>
          <layout>default</layout>
{code}

That way, they can not only substitute for the policy for the repository, but 
they can also override it.

Example:

{code}
  <mirrors>
    <mirror>
      <id>planetmirror.com</id>
      <name>PlanetMirror Australia</name>
      <url>http://downloads.planetmirror.com/pub/maven2</url>
      <mirrorOf>central</mirrorOf>
      <releases>
        <enabled>true</enabled>
        <checksumPolicy>fail</checksumPolicy>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
    </mirror>
  </mirrors>
{code}


> Checksum policy for mirrors
> ---------------------------
>
>                 Key: MNG-5689
>                 URL: https://issues.apache.org/jira/browse/MNG-5689
>             Project: Maven
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 3.2.3
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
>
> It does not appear that there is any way to configure a checksum policy for 
> mirrors in the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven 
> central. I can configure a mirrorOf central, but I cannot set the checksum 
> policy. This seems like a big oversight.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MNG-5689) Checksum policy for mirrors

Reply via email to