Artifactory should deny downlaod of artifacts having bad or no client checksums when policy is set to "Verify against client checksums" (for example when using maven repo layout).
The problem we see is the fact that deploying with bad checksum indeed throws a 409 to the deploying client as expected, but the artifact can still be downloaded despite its (partially) bad checksum or completely missing checksum.
Our expectations would be that artifacts can only be downloaded if server checksum and client checksum really match when using policy "Verify against client checksums", thus not allowing any downloads when the desired checksums are missing or (partially) wrong.
We have for example artifacts with bad sha1 checksum but a good/correct md5 checksum in one of our repositories.
Another artifact having no sha1 checksum did also have no md5 checksum.
As said, both could be downloaded without any problems when we were expecting both to be blocked from any downloads.