Skip to content

🦺 fix: Force local checksum mode on validate #1282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

🦺 fix: Force local checksum mode on validate #1282

wants to merge 2 commits into from

Conversation

LogFlames
Copy link
Member

See #1281.

@LogFlames LogFlames linked an issue Jul 31, 2025 that may be closed by this pull request
Validate should always compare to local checksum #1281
Open
@LogFlames LogFlames requested a review from algomaster99 July 31, 2025 13:26
@LogFlames LogFlames changed the title 🦺 feat: Force local checksum mode on validate 🦺 fix: Force local checksum mode on validate Jul 31, 2025
@LogFlames LogFlames mentioned this pull request Jul 31, 2025
Closed
@LogFlames LogFlames force-pushed the 1281-validate-should-always-compare-to-local-checksum branch from 6af6233 to ec15b59 Compare August 20, 2025 12:02
@algomaster99
Copy link
Member

As far as I understand, the validate goal would compare the checksum of the dependency in lockfile with the ones on Maven central (remote) or m2 (local). Shouldn't both be enforced for validation?

@LogFlames
Copy link
Member Author

Currently validate uses the check that was used to generate the lockfile. That if, if the lockfile is local it will check against the m2 folder, if the lockfile is remote it will check against maven central.

If you generated the lockfile only using your m2 folder, I think the check also only needs to be local.
However, if you generate the lockfile using remote, the validate check checks that they are the same on maven central. Which (since we must trust maven central) from my understanding they will always be. Thus we want to verify that noone has tampered with our local m2 folder.

Running checks aganist both m2 and central for remote lockfiles could be an alternative. However, I don't what we would catch by running it against remote at all, thus my proposal to only check against m2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@algomaster99 algomaster99 Awaiting requested review from algomaster99

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validate should always compare to local checksum
2 participants
@LogFlames @algomaster99