Closed LogFlames closed 3 weeks ago
Summary/continuation:
Example of checksums-central.sha256
:
000dd616298aebd21a9d5731874df083d7298424b91e037b73cbdd07ebc83e0e org/jboss/jboss-parent/36/jboss-parent-36.pom
001cde5b3c6ba91070425cfe9f2e695e4aeb8bc290a2d4cd96531127ab244fe5 org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.pom
005b5a3a88736bd2584f69cc59467e67c106e6a4b7a2dbd1ba2251267e96011d org/apache/commons/commons-lang3/3.10/commons-lang3-3.10.pom
00730f0fd33d55c28d00b417decee720b00cae4d27530819b0713a5c5d9d9f37 org/apache/maven/resolver/maven-resolver-named-locks/1.9.22/maven-resolver-named-locks-1.9.22.pom
00bcf388472ca80a687014181763b66d777177f22cbbf179fd60e1b1ac9bc9b0 org/apache/logging/log4j/log4j-core/2.24.1/log4j-core-2.24.1.jar
0124227bc47efc9a00b9aa4fc3ef7f70823d322213c26489e5369a914339c84a org/codehaus/plexus/plexus-component-annotations/1.5.4/plexus-component-annotations-1.5.4.pom
01ca7ebc4796fd603dab182c6c14b074250c6b2603b5454785eff003e76e5a19 io/vertx/vertx-codegen/4.5.10/vertx-codegen-4.5.10.jar
0043f72f611664735da8dc9a308bf12ecd2236b05339351c4741edb4d8fab0da org/junit/platform/junit-platform-engine/1.11.3/junit-platform-engine-1.11.3.jar
025caec7c56a0cb4d86c45bc18ac3e23dba291e22ebceb76302a9a9b9b7183cc org/apache/maven/wagon/wagon/1.0-beta-6/wagon-1.0-beta-6.pom
025f8aa20b019a8efc90b200129bb5d948c8459ed000f0444e8bca2a15e9e166 io/quarkus/quarkus-development-mode-spi/3.15.1/quarkus-development-mode-spi-3.15.1.pom
026fb505b0f954e24f88b0d91bd21030d43e92ba0a3cf4f9832ec31240c8829d io/smallrye/common/smallrye-common-io/2.5.0/smallrye-common-io-2.5.0.jar
02baad428c4a0fc2f503795d08644752a15731fb51c3da1add108d5e6ac5d283 org/wildfly/common/wildfly-common/1.7.0.Final/wildfly-common-1.7.0.Final.jar
02bada6f4bc3d1163d44cd626048c51f4a9a453e650c7c51e01601a9fa0e098e org/twdata/maven/mojo-executor-parent/2.4.0/mojo-executor-parent-2.4.0.pom
02f291e5d1243dc143496e3cbbb40a1ced47aa58f2d633d3e38780cd068d5074 commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
02fc027d2d2c5ec90cb09db183d6a4810cbfb1ef47b944f4adcecef1aafeb1ef io/quarkus/qute/qute-core/3.15.1/qute-core-3.15.1.jar
0310865a9d620e254a5b380bfc17a94a94bc41b50ee8d298681735bd6a44c4d3 io/quarkus/quarkus-netty/3.15.1/quarkus-netty-3.15.1.pom
0342bdcbd23208534dde58819ddf937aabbe3d61a47231ffb06632fb47dd2657 org/sonatype/aether/aether-util/1.7/aether-util-1.7.pom
034e12a9d1d5f5618a9e0dda23aadda4ed659ec55240876b6e954cc2172be456 org/apache/maven/shared/maven-common-artifact-filters/3.1.0/maven-common-artifact-filters-3.1.0.pom
037b44a6f27020511a5e62125c529707c857a2a10aedb5d8a219717c4b6a6955 org/apache/maven/maven/4.0.0-alpha-5/maven-4.0.0-alpha-5.pom
03d960bd5aef03c653eb000413ada15eb77cdd2b8e4448886edf5692805e35f3 org/objenesis/objenesis/3.2/objenesis-3.2.jar
03e1898e878806cace2028d9b42cda3377d70ceb2b06253c43f6a587a0f67067 org/slf4j/jcl-over-slf4j/1.5.6/jcl-over-slf4j-1.5.6.jar
0424b2ff0c20265a084a32a4907521b28e7b86af25d131987a6b31ef63b9687c com/ethlo/time/itu/1.10.2/itu-1.10.2.jar
042a1cd1ac976cdcfe5eb63f1d8e0b0b892c9248e15a69c8cfba495d546ea52a org/jetbrains/kotlin/kotlin-stdlib/1.8.21/kotlin-stdlib-1.8.21.jar
043962b987eec7d11e84869277a1c4872d022c24aa837759fe17f98d7ed7a194 io/quarkus/quarkus-jsonp/3.15.1/quarkus-jsonp-3.15.1.jar
043f21c8e8f1e44fa4434bff9d8daed3c98642b414fad9d6c29ce4f120cb945c org/apache/maven/plugin-tools/maven-script/3.15.1/maven-script-3.15.1.pom
04534dea350a2187970a5b74444338bcf78ba8e537d44f262acfba16ebb33056 org/apache/maven/maven-parent/42/maven-parent-42.pom
[...]
Mail sent! :)
👍
Mail suggestion:
Features
Maven-Lockfile
Trusted Checksums
Both
The main thing missing from Trusted Checksums is the ability to download the specific versions specified. If a version range is specified some manual work is required to check the specific version of the jar and specify that one in the pom.xml.
Suggestion: Maven lockfile could (maybe an optional parameter) setup the project to use trusted checksums.
Test on maven-lockfile
When run on the maven-lockfile project the following results are obtained.
Trusted Checksums recorded 1222 checksums, where 779 are checksums for
.pom
files. Maven Lockfile recorded 300 checksums.All checksums recorded in the lockfile are also recorded in the trusted checksums.
These checksums (filtered to only include jars) are in Trusted Checksums but missing in the lockfiles: