| Re: [platform-dev] Signed content |
I don’t this mail is in good intentions. This is really offending and upsetting. This was not reported with the repository analysers either in platform or simrel. Here is the output of jarsigner when I ran on org.eclipse.jetty.util.ajax C:\Users\SRAVANLAKKIMSETTI\Downloads>"c:\EclipseTest\JAVA\jdk-11.0.10+9\bin\jarsigner.exe" -verify org.eclipse.jetty.util.ajax_10.0.2.jar jar verified. We do have a test in platform to verify unsigned content in the repository. That test will fail if any bundle is reported as unsigned. This is based on the repository analyser report generated during the build. We have been using this for quite some time. I myself has stopped simrel contribution multiple times the moment I notice a problem with signing. I don’t see a problem when the jarsigner returns as success. -Sravan From: Ed Merks <ed.merks@xxxxxxxxx> Hi, I am assume from observation that the platform team has decided to change its signing policy to not physically sign some jars anymore: https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.20-I-builds/index.html Hi, I am assume from observation that the platform team has decided to change its signing policy to not physically sign some jars anymore: This of course propagates to SimRel: https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/staging/2021-06/index.html I don't recall a Planning Council policy decision to drop/change the need for signed jars. I don't know the full impact this has on the installer nor on consumers. The installer at least appears to happily install such things and the IDE presents such things to the user as if they are signed:
Slowly I get the feeling that SimRel is a no longer process where we all work together as a team. Rather it feels as if the platform team can and does unilaterally make decisions for everyone else. Regards, |
