[jira] [Updated] (MRESOLVER-56) Support SHA256 and SHA512 as hashes

Mon, 03 Sep 2018 07:53:52 -0700 


     [ 
https://issues.apache.org/jira/browse/MRESOLVER-56?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated MRESOLVER-56:
-------------------------------------
    Description: 
As both supported checksums on remote repositories (namely MD5 and SHA1 have 
known flaws) it would be nice if the Maven Resolver could also leverage other 
hashes like SHA256 and SHA512.
Although those hashes aren't part of the official Maven 2 repository layout 
(https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
 couldn't find any newer/other spec) I don't see how an additional .SHA256 file 
could introduce backwards compatibility issues with older clients.

I think this namely would mean you would also return SHA512 and SHA256 if they 
exist and are supported by Java. The longer the hash the better it is, 
therefore the hashes should be checked in the following order
# SHA512
# SHA256
# SHA1
# MD5

  was:
As both supported checksums on remote repositories (namely MD5 and SHA1 have 
known flaws) it would be nice if the Maven Resolver could also leverage other 
hashes like SHA256 and SHA512.
Although those hashes aren't part of the official Maven 2 repository layout 
(https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
 couldn't find any newer/other spec) I don't see how an additional .SHA256 file 
could introduce backwards compatibility issues with older clients.


> Support SHA256 and SHA512 as hashes
> -----------------------------------
>
>                 Key: MRESOLVER-56
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-56
>             Project: Maven Resolver
>          Issue Type: Improvement
>          Components: resolver
>    Affects Versions: Maven Artifact Resolver 1.1.1
>            Reporter: Konrad Windszus
>            Priority: Major
>
> As both supported checksums on remote repositories (namely MD5 and SHA1 have 
> known flaws) it would be nice if the Maven Resolver could also leverage other 
> hashes like SHA256 and SHA512.
> Although those hashes aren't part of the official Maven 2 repository layout 
> (https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final,
>  couldn't find any newer/other spec) I don't see how an additional .SHA256 
> file could introduce backwards compatibility issues with older clients.
> I think this namely would mean you would also return SHA512 and SHA256 if 
> they exist and are supported by Java. The longer the hash the better it is, 
> therefore the hashes should be checked in the following order
> # SHA512
> # SHA256
> # SHA1
> # MD5



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to