Re: [cross-project-issues-dev] A funny thing happened on the way to Mars

["David M Williams" <david_williams@xxxxxxxxxx>]

> > This  will only be relevant to you if you use
> > org.apache.httpcomponents.httpclient
> > and exactly version
> > 4.3.6.v201411290715
> We seem to have it in our Oomph repos. I've checked this:
> 
>      estepper@build:~/oomph/drops/release/1.3.0/plugins>
jarsigner -
> verify -certs 
> org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar
>      jar verified.
> 
> So, we're good, right?
> 

Yes, you're good. 

And, to clarify, that is the right version to have
in your Mars.2 repos (if you use it at all). 

But since there is a "bad" one out there
(in Orbit, at least) with the same version, I was suggesting to verify
if it was in your project repositories to make sure you had the good one.

If it is the good one, you get "jar verified"
as above. 

If it is "the bad one" it will be pretty
obvious: 

$ jarsigner -verify org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar
jarsigner: java.lang.SecurityException: SHA1 digest
error for org/apache/http/client/cache/HttpCacheEntry.class

And, FYI, the code has not been "tampered with"
in any "bad" way. It is just that since it is not signed correctly
so p2 and others will not install it. 

Thanks,