I’m looking into the adoption of Nexus 3 repository manager. Our security manager has asked what security mechanisms are in place when retrieving content from Maven Central e.g. in addition to the connection being SSL/TLS adoes the Nexus RM compare the md5 checksums?
many thanks
Checksum validation is done by the client. In the case of central, clients such as Maven optionally will validate the checksum against the original published checksum. You can do that by setting checksumPolicy to either “warn” or “fail”:
https://maven.apache.org/settings.html#Repositories
If you’d like additional checks to be done you might be interested in our Nexus Firewall product:
That product allows you to define policies against the component’s licenses and known security vulnerabilities, and block components that violate those policies.
Rich
The upcoming Maven 4.0.0 release will switch the default checksum policy from “warn” to “fail”. See MNG-5728.
It will also upgrade Maven Resolver to 1.6.1. See MNG-6996, which lists all the new functionality, such as adding support for SHA-256 and SHA-512 as checksums.
I am not sure when v4.0.0 is due for release but I’m hoping it’s soon.