Not sure this belongs on the security page, as checksums are more than just a security concern. Also a few other questions I had:
[ ] How can we cause this to fail or confirm that it is working as expected? I can't seem to find any evidence of anything happen in the logs, even when using the --debug
[ ] If we are considering this for maven, should we consider it for gradle as well?
[ ] Any of the info I read about setting this to happen automatically via configuration says to do it in settings.xml, which is in ${HOME}/.m2, outside of the project. Configuration outside the project seems problematic in the context of this book since we are relying on our example project to have all of our ideas configured and working
All of these questions make me wonder how important it is to go down this rabbit hole to implement in our codebase or describe in the book portion. My initial thought is it only warrants a passing mention (not in security, but not sure where) with maybe a link for further information. I wrote this spike up for us to think about it a little bit deeper and to determine if my initial thought makes sense for this book/project or if we want to try and do something a bit more, and if so, determine more precisely what that is. I think we can make that decision if we answer the aforementioned questions in the checklist
There was a TODO note in the shift security left page as follows:
-C
(checksum) flag in Maven? See Maven Artifact Checksums - What?Not sure this belongs on the security page, as checksums are more than just a security concern. Also a few other questions I had:
All of these questions make me wonder how important it is to go down this rabbit hole to implement in our codebase or describe in the book portion. My initial thought is it only warrants a passing mention (not in security, but not sure where) with maybe a link for further information. I wrote this spike up for us to think about it a little bit deeper and to determine if my initial thought makes sense for this book/project or if we want to try and do something a bit more, and if so, determine more precisely what that is. I think we can make that decision if we answer the aforementioned questions in the checklist