Martin Vysny created MNG-6422:
---------------------------------
Summary: Maven by default does not check checksums; Maven lacks
reproducible builds capability
Key: MNG-6422
URL: https://issues.apache.org/jira/browse/MNG-6422
Project: Maven
Issue Type: Bug
Affects Versions: 3.5.0
Reporter: Martin Vysny
Maven by default does not check checksums of downloaded jar files. That leads
to ridiculous situations like for example when a misconfigured Artifactory
instance provides HTML directory listing instead of an actual jar file (because
of incorrect path or access denied or other reason). Maven should reject such
jar file (since it can't match the check sum), but instead it happily stores it
into the local repository and then later fails that it's not a valid zip file.
This issue exposes something even worse - you actually can't have reproducible
builds with Maven since the reproducibility of the build depends on whatever
you have in your local .m2 repository. So for example the build fails for me
(since my local .m2 is populated by borked jar files which are really html
files), but it succeeds for my colleagues (simply because they populated their
local .m2 repo at different time and they have proper actual jar files).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
