Nicolas Juneau created MNG-5728:
-----------------------------------
Summary: Switch the default checksum policy from "warn" to "fail"
Key: MNG-5728
URL: https://jira.codehaus.org/browse/MNG-5728
Project: Maven
Issue Type: Improvement
Components: Artifacts and Repositories
Reporter: Nicolas Juneau
Priority: Minor
The default checksum policy when obtaining artifacts during a build is
currently, by default, "warn". This seems a bit odd for me since a checksum is
usually used to prevent the use of corrupted data.
Since Maven produces a lot of output (and some IDEs sometimes hide it), it is
easy to miss a bad checksum warning. I am aware that there is a checksumPolicy
setting in Maven, but, unless I am mistaken, it cannot be defined for all
repositories at once. It has to be done either on a per-repository basis or by
using the "strict-checksum" flag in the command line.
After searching around a bit on the Web and with the help of a coworker, we
discovered that the default "warn" setting was mainly there because some
repositories were not handling checksums quite well. Issue MNG-339 contains
some information about this.
My colleague also chatted briefly with "trygvis" on IRC. Apparently, the
default "warn" setting is really there for historical reasons.
I believe that a default value of "fail" would greatly reduce the likelihood of
errors and also slightly increase the security of Maven. Corrupted artifacts
should not, by default, be used for builds.
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
