Checksums for LibraryManager

[games647]

Could you add support for checksums to the MavenLibrary annotation to verify the integrity of the downloaded files? Maybe with the default value of an empty string to ignore it.

[lucko]

Interesting idea, yeah it'd definitely be possible.

What would be the use case though?

I assume checking that the downloaded dependency matches the checksum in the annotation. In this case, what would be the appropriate action if they don't match?

Would the check only occur if the file was already found, or would you check freshly downloaded files too?

I'm open to suggestions (and PRs 😉)

[games647]

What would be the use case though?

• User replaced/modified the file (accidentally?)
• Protect from MitM attacks if the file wasn't downloaded using https
• Connection issues -> half-downloaded files.
• (Corrupt file, because of a flipped bit. Happens very rarely, because TCP already makes checksums)

In this case, what would be the appropriate action if they don't match?

I thought about this:
If the file already exists, try to re-download it and check again. If the verification still fails, load it only if the server administrator actually forces it (runtime parameter?) in cases where the library file was actually patched on purpose.

BTW: The standard Maven client performs checksum verifications too, but only prints a warning if the file doesn't match the provided checksum on the repository.