Hello,
I have noticed that Microsoft started to add .sha256 checksums to their POMs instead of .sha1. It looks like Maven Central accepts this, so is this a global policy change? https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.1.jre11/mssql-jdbc-12.4.1.jre11.pom.sha1 https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.pom.sha256 Strange enough central did accept those, but seems to not support it with Remote Included Strategy (X- headers): curl -I https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.pom HTTP/1.1 200 OK Connection: keep-alive Content-Length: 19942 ETag: "61cb3f21b65ec7957c85f899a7f5cbc4" Content-Type: text/xml Last-Modified: Fri, 27 Oct 2023 02:53:09 GMT X-Checksum-MD5: 61cb3f21b65ec7957c85f899a7f5cbc4 X-Checksum-SHA1: 70d487ee6dd908c60527158246d03baf18269511 Via: 1.1 varnish, 1.1 varnish Accept-Ranges: bytes Date: Tue, 21 Nov 2023 18:30:23 GMT Age: 1531300 X-Served-By: cache-iad-kiad7000176-IAD, cache-fra-eddf8230077-FRA X-Cache: HIT, HIT X-Cache-Hits: 3, 1 X-Timer: S1700591424.912411,VS0,VE1 In any case Maven 3.8 seems to not like it, it prints: Warning: Could not validate integrity of download from https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.pom org.eclipse.aether.transfer.ChecksumFailureException: Checksum validation failed, no checksums available at org.eclipse.aether.internal.impl.AbstractChecksumPolicy.onNoMoreChecksums (AbstractChecksumPolicy.java:64) at org.eclipse.aether.connector.basic.ChecksumValidator.validate (ChecksumValidator.java:107) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask (BasicRepositoryConnector.java:460) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run (BasicRepositoryConnector.java:364) at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run (RunnableErrorForwarder.java:75) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute (BasicRepositoryConnector.java:628) at org.eclipse.aether.connector.basic.BasicRepositoryConnector.get (BasicRepositoryConnector.java:262) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads (DefaultArtifactResolver.java:514) ... This happens with 3.8.8 in Github Action: (Example for that, here Line 19:) https://github.com/seeburger-ag/bis-resources/actions/runs/6947706560/job/18902089277?pr=20#step:4:20 but not sure if this is somehow GH cache related (since there are no downloads) With 3.9.4 directly, the warning seems to not happen - even when I specify mvn -Daether.checksums.algorithms=SHA-1 to a empty local repo I get no warning. When I use the same version through a nexus 3 mirror, it does fail. So questions: - is this a policy change in central or does central neglect to enforce sha1? - does central need to include a sha2 header? - since when does maven resolver test for both? - is it still controlled with aether.checksums.algorithms? - Does anybody know if nexus3 can support that? Gruss Bernd -- https://bernd.eckenfels.net --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
