Am 2021-10-21 um 19:11 schrieb Mykola Nikishov:
Mickael Istria <mist...@redhat.com> writes:
While I'm investigating into Maven code to allow re-using checksums of
Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
.sha1 seems to be used by Wagon and then also noticed that Maven Central
doesn't contain a "safe" digest signature either.
[...]
Is there an issue already open to move towards sha256 or should I create a
new one?
Michael, as you know, Maven differs from Equinox's p2 approach to
resolve and download artifacts - in Maven world, closest match to what
p2 does would be a combination of Sonatype Nexus' Remote Index
(metadata) and repo.maven.apache.org (artifacts). So that Maven would
first download remote index (from an ultimately trusted source, which
provides additional information about available artifacts, including
checksums) and resolve list of dependencies to download based on that
information only. In a second step, it would download actual artifacts
using either the same repo.maven.apache.org or any other source. This
second step can then use less trusted sources (3rd-party mirrors).
Thanks, I wasn't really aware how p2 works.
How do you define a trusted source or establish trust?
This difference seems to me as root cause of the initial confusion with
your question. With this in mind, as was mentioned already, moving to
stronger checksums is not that important or useful for Maven.
You are talking about checksums now, but the title talks about
cryptographic hashes. Those are two different things. If you need a
strong checksum, use xxHash.
All discussion about more stronger checksums in p2 [1] was relevant only
because my goal was to enable support for peer-to-peer protocols (more
generally, any content-addressable storage AKA bittorrent, ipfs and
alike) alongside to location-addressable storage. And for this use case
support for extensible set of (cryptographically strong) checksum
algorightms is a must.
Hashes, not checksums.
[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=423715
I think this is deceiving becase this still says nothing about a trust
without a key.
The sole purpose is Resolver of checksums is to detect bitrot
(integrity). Authenticity is established with signatures, therefore
everyone on Maven Central must sign each file. MD5 and SHA-1 where just
there through MessageDigest, but I believe that it was a bad decision
back then.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
