[
https://issues.apache.org/jira/browse/MWRAPPER-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17838074#comment-17838074
]
Jorge Solórzano commented on MWRAPPER-93:
-----------------------------------------
[~cstamas] no, MWRAPPER-75 introduced that feature, the issue here is related
to this comment:
[https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265742206]
The checksum is validated only on download or unpack, but not every time the
script runs, which might be fine depending on who you ask.
In other words, if the checksum should be validated on every run of the
{*}mvnw{*}, or only when a download/unpack is done? If it's the latter, then
this issue can be closed as Won't Fix.
> Distribution sha256 checksum not validated if the zip file was downloaded
> previously
> ------------------------------------------------------------------------------------
>
> Key: MWRAPPER-93
> URL: https://issues.apache.org/jira/browse/MWRAPPER-93
> Project: Maven Wrapper
> Issue Type: Bug
> Components: Maven Wrapper Jar
> Affects Versions: 3.2.0
> Reporter: Jorge Solórzano
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.3.0
>
>
> If I make a first run without *distributionSha256Sum*, the Maven distribution
> will be downloaded without any checksum, this is the normal behavior.
> But if I later add the *distributionSha256Sum* to the
> maven-wrapper.properties file, having downloaded previously the distribution,
> the checksum is not verified, I consider this a bug since even if the
> distribution is already downloaded and unpacked it could contain a
> compromised download.
> The options *alwaysUnpack* and *alwaysDownload* triggers the verification and
> provides an extra layer of security, but normally the local zip should be
> verified always if the *distributionSha256Sum* is set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
