On the following project https://github.com/deanhiller/webpieces when I run
- /gradlew release
it puts all the artifacts in /tmp/myRepo for a development release. What I do not understand is why so many hash files are generated ->
- core-asyncserver-2.1-developer.jar
- core-asyncserver-2.1-developer.jar.md5
- core-asyncserver-2.1-developer.jar.sha1
- core-asyncserver-2.1-developer.jar.sha256
- core-asyncserver-2.1-developer.jar.sha512
Is this really necessary? Can't we just generate like 1 hash file or something perhaps?
CodePudding user response:
In short, the checksums are generated because Gradle doesn't know where the artifact will be hosted, and different hosts accept different standards.
(To find out more about the importance of checksums, you can read the Gradle documentation, which describes their use from the point of view of a consumer.)
MD5 and SHA1 are "considered cryptographically broken", but (as of 1/10/2019), using both together was secure. This is noted when Gradle 6.0 added SHA265.
Gradle 6.0.1 added an option to disable SHA256 and SHA512 checksums.
add
-Dorg.gradle.internal.publish.checksums.insecure=trueto the CLI or addsystemProp.org.gradle.internal.publish.checksums.insecure=trueto yourgradle.propertiesfile
Allowing more fine grained control of the checksum generation was requested in January 2020, but declined.
So the 4 checksums are generated for purposes of maximising compatibility. I wouldn't be too concerned with them, they are small files and are quick to generate. It might be possible to create a custom Gradle task which will delete these files, but I'd advise against that because the defaults work fine and adjusting them might cause problems later.