[
https://issues.apache.org/jira/browse/MNG-5689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16412747#comment-16412747
]
Christopher Tubbs commented on MNG-5689:
----------------------------------------
I had a mirror with broken artifacts in it... which is what motivated me to
create this. Maven was perfectly happy downloading the broken artifacts,
warning about them (the default behavior), and then putting the broken
artifacts on the class path when I built my application. It was a pain to
figure out why my builds were failing. A strict "fail" checksum policy would
have made it obvious.
> Checksum policy for mirrors
> ---------------------------
>
> Key: MNG-5689
> URL: https://issues.apache.org/jira/browse/MNG-5689
> Project: Maven
> Issue Type: Improvement
> Components: Settings
> Affects Versions: 3.2.3
> Reporter: Christopher Tubbs
> Priority: Major
> Labels: security-issue
>
> It does not appear that there is any way to configure a checksum policy for
> mirrors in the settings.xml file.
> In particular, I'd love to enforce a "strict" checksum policy on maven
> central. I can configure a mirrorOf central, but I cannot set the checksum
> policy. This seems like a big oversight.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
