Nicolas Juneau created MNG-5728: ----------------------------------- Summary: Switch the default checksum policy from "warn" to "fail" Key: MNG-5728 URL: https://jira.codehaus.org/browse/MNG-5728 Project: Maven Issue Type: Improvement Components: Artifacts and Repositories Reporter: Nicolas Juneau Priority: Minor
The default checksum policy when obtaining artifacts during a build is currently, by default, "warn". This seems a bit odd for me since a checksum is usually used to prevent the use of corrupted data. Since Maven produces a lot of output (and some IDEs sometimes hide it), it is easy to miss a bad checksum warning. I am aware that there is a checksumPolicy setting in Maven, but, unless I am mistaken, it cannot be defined for all repositories at once. It has to be done either on a per-repository basis or by using the "strict-checksum" flag in the command line. After searching around a bit on the Web and with the help of a coworker, we discovered that the default "warn" setting was mainly there because some repositories were not handling checksums quite well. Issue MNG-339 contains some information about this. My colleague also chatted briefly with "trygvis" on IRC. Apparently, the default "warn" setting is really there for historical reasons. I believe that a default value of "fail" would greatly reduce the likelihood of errors and also slightly increase the security of Maven. Corrupted artifacts should not, by default, be used for builds. -- This message was sent by Atlassian JIRA (v6.1.6#6162)