Re: MD5, SHA1, but nothing (still) safe?

2021-10-21 Thread Mykola Nikishov 
Mickael Istria  writes:

> While I'm investigating into Maven code to allow re-using checksums of
> Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
> .sha1 seems to be used by Wagon and then also noticed that Maven Central
> doesn't contain a "safe" digest signature either.

[...]

> Is there an issue already open to move towards sha256 or should I create a
> new one?

Michael, as you know, Maven differs from Equinox's p2 approach to
resolve and download artifacts - in Maven world, closest match to what
p2 does would be a combination of Sonatype Nexus' Remote Index
(metadata) and repo.maven.apache.org (artifacts). So that Maven would
first download remote index (from an ultimately trusted source, which
provides additional information about available artifacts, including
checksums) and resolve list of dependencies to download based on that
information only. In a second step, it would download actual artifacts
using either the same repo.maven.apache.org or any other source. This
second step can then use less trusted sources (3rd-party mirrors).

This difference seems to me as root cause of the initial confusion with
your question. With this in mind, as was mentioned already, moving to
stronger checksums is not that important or useful for Maven.

All discussion about more stronger checksums in p2 [1] was relevant only
because my goal was to enable support for peer-to-peer protocols (more
generally, any content-addressable storage AKA bittorrent, ipfs and
alike) alongside to location-addressable storage. And for this use case
support for extensible set of (cryptographically strong) checksum
algorightms is a must.

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=423715

-- 
Mykola

Libre/Free Java Software Developer
https://manandbytes.gitlab.io/


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: Paypal Declares Latest Release Pom in Maven Central

2020-01-17 Thread Mykola Nikishov 
Petar Tahchiev  writes:

[...]

> Is there any way to tell Paypal to update their pom.xml and upload a
> new version?

Voting with your $$$ aside, try this:

https://github.com/paypal/merchant-sdk-java/commit/62fc5b74bc964fb3cf5f69c70e2a25ab70064e66.patch

-- 
Mykola

Libre/Free Java Software Developer
https://manandbytes.gitlab.io/


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: Build DAG traversal.

2019-02-14 Thread Mykola Nikishov 
Paul Hammant  writes:

> mvn clean install -DskipTests 
> -Dmaven.repo.local=/usr/local/var/MAVEN_CI_REPOSITORY

This would compile and test-compile for the first time...

> mvn surefire:test -Dmaven.repo.local=/usr/local/var/MAVEN_CI_REPOSITORY

Run compile and test-compile one more time, on the same sources, for
artifacts that had been just installed. Does it make sense to skip them
with '-Dmaven.main.skip=true -Dmaven.test.skip=true' [1]?

[1] 
https://maven.apache.org/plugins/maven-compiler-plugin/compile-mojo.html#skipMain

-- 
Mykola

Libre/Free Java Software Engineer
https://manandbytes.gitlab.io/


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

[jira] Created: (MPMULTIPROJECT-56) Wrong basedir property in producess unusefull error message

2005-08-04 Thread Mykola Nikishov (JIRA) 
Wrong basedir property in  producess unusefull error message


 Key: MPMULTIPROJECT-56
 URL: http://jira.codehaus.org/browse/MPMULTIPROJECT-56
 Project: maven-multiproject-plugin
Type: Bug
Versions: 1.4.1
 Environment: Linux, Maven 1.0.2/Maven 1.1-beta-1
 Reporter: Mykola Nikishov
 Assigned to: Brett Porter 
 Attachments: extendbug.tar.gz, wrongextend.patch

In one of my projects I've misspelt basedir property in such way:

--- ok/project.xml  2005-08-05 00:55:49.0 +0300
+++ bug/project.xml 2005-08-05 00:55:28.0 +0300
@@ -1,6 +1,6 @@
 
 
-${basedir}/../project.xml
+{$basedir}/../project.xml
 3

and Maven reported about:

File.. /home/mn/.maven/cache/maven-multiproject-plugin-1.4.1/plugin.jelly
Element... maven:reactor
Line.. 64
Column 9
Unknown error reading project

for Maven 1.1-beta-1 and

File.. /home/mn/.maven/cache/maven-multiproject-plugin-1.4.1/plugin.jelly
Element... maven:reactor
Line.. 64
Column 9
Parent POM is equal to the current POM

for Maven 1.0.2

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]