Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] A funny thing happened on the way to Mars.2 -- in Orbit

Hi,

This seems strangely reminiscent of https://bugs.eclipse.org/bugs/show_bug.cgi?id=458925 . Though it was the reverse, the jar file was good but the pack200 was not.

That time was affecting orbit too. We might want to have a script running to check the signatures over there with each build?

Laurent Goubet
Obeo

On 16/02/2016 16:48, Andreas Sewe wrote:
Hi,

David M Williams wrote:
But since there is a "bad" one out there (in Orbit, at least) with the
same version, I was suggesting to verify if it was in your project
repositories to make sure you had the good one.

If it is the good one, you get "jar verified" as above.

If it is "the bad one" it will be pretty obvious:

$ jarsigner -verify
org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar
jarsigner: java.lang.SecurityException: SHA1 digest error for
org/apache/http/client/cache/HttpCacheEntry.class
FWIW, I just found out that only the plain JAR in Orbit is "bad"; the
JAR.pack.gz is not, i.e., it unpack200s to a JAR that verifies just fine
[1]. If your build prefers pack200ed JARs over plain JARs, you should
get a "good" JAR from Orbit, but of course it's better to double-check
what you are distributing exactly.

Best wishes,

Andreas

[1] <https://bugs.eclipse.org/bugs/show_bug.cgi?id=487833#c12>


--

Laurent Goubet
Consultant
+33 2 51 13 51 42

7 Boulevard Ampère - Carquefou - France
obeo.fr | twitter | linkedin

begin:vcard
fn:Laurent Goubet
n:Goubet;Laurent
org:<a href="http://www.obeo.fr";>Obeo</a>
email;internet:laurent.goubet@xxxxxxx
url:http://www.obeo.fr
version:2.1
end:vcard


Back to the top