-
Notifications
You must be signed in to change notification settings - Fork 237
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Coursier checksum verification #134
Conversation
Why don't we make this compulsory with |
I guess I assumed Coursier defaults to |
Sorry, I wasn't clear -- we can make every call issued with Specifying SHA-1 has also been cracked, so it may make sense to prioritize |
1568ca6
to
3a1bd3e
Compare
@jin Better? Also, do you want it on or off by default? |
Hmm looks like there are issues with sha256 on the springboot example. Let's drop sha256 from the argument lists for now? Looks like sha1 is still the defacto standard for Maven deps. |
Strange... Fails:
Works:
Fails:
The fall-through doesn't seem perfectly reliable... |
40dc0a3
to
497faeb
Compare
@jin Green builds now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
This PR adds support for Coursier's
--checksum
flag.While it's not SHA pinning or verified with the actual SHA of the downloaded artifact, it's still better than nothing which is the case today.
Also, if one uses HTTPS Maven repositories, in-transit tampering should be reasonably secure.