Mickael Istria <mist...@redhat.com> writes: > While I'm investigating into Maven code to allow re-using checksums of > Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and > .sha1 seems to be used by Wagon and then also noticed that Maven Central > doesn't contain a "safe" digest signature either.
[...] > Is there an issue already open to move towards sha256 or should I create a > new one? Michael, as you know, Maven differs from Equinox's p2 approach to resolve and download artifacts - in Maven world, closest match to what p2 does would be a combination of Sonatype Nexus' Remote Index (metadata) and repo.maven.apache.org (artifacts). So that Maven would first download remote index (from an ultimately trusted source, which provides additional information about available artifacts, including checksums) and resolve list of dependencies to download based on that information only. In a second step, it would download actual artifacts using either the same repo.maven.apache.org or any other source. This second step can then use less trusted sources (3rd-party mirrors). This difference seems to me as root cause of the initial confusion with your question. With this in mind, as was mentioned already, moving to stronger checksums is not that important or useful for Maven. All discussion about more stronger checksums in p2 [1] was relevant only because my goal was to enable support for peer-to-peer protocols (more generally, any content-addressable storage AKA bittorrent, ipfs and alike) alongside to location-addressable storage. And for this use case support for extensible set of (cryptographically strong) checksum algorightms is a must. [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=423715 -- Mykola Libre/Free Java Software Developer https://manandbytes.gitlab.io/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
