Moving hashes (checksums) forward

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Moving hashes (checksums) forward

Michael Osipov-2

I have been recently (indirectly) approached by Mark Thomas for the
Tomcat committers that he wants to provide SHA-2 hashes for all uploaded
Tomcat artifacts in Central. Since Nexus 2.14.18 supports this properly
for validation, I have picked up MRESOLVER-56 and asked for testing.

I'd like also to discuss two proposals for the Maven community:
1. Introduce SHA-2 support in Maven Resolver 1.4.3 which will go into
Maven 3.7.0
2. Deprecate MD5 and SHA-1 with that release and make them obsolete with
Maven 4.0 and Maven Resolver 2.0 which will include package change also.

Those proposals have the following greater implications:
  * Certain repo managers might reject hashes, they don't know. As did
Nexus on repository.a.o.
  * This will incur two more requests with each upload and download. In
the latter, it will fail with 404 because most repo managers won't have
SHA-2 hashes. So fails Central for now. (will be solved with 2.)

  * All repo managers will need to
  ** rehash all current content to provide SHA-2 hashes
  ** Require SHA-2 hashes to be uploaded
  ** Reject MD5 and SHA-1 hashes
  * Old tools will fail because MD5 and SHA-1 hashes are gone:
  ** Uploads will be rejected
  ** Strict download validation will fail

Please comment. I will also provide a draft PR soon.
I can cast two formal votes if required.


To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]