[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] A funny thing happened on the way to Mars.2 -- in Orbit
|
Hi,
This seems strangely reminiscent of
https://bugs.eclipse.org/bugs/show_bug.cgi?id=458925 . Though it was
the reverse, the jar file was good but the pack200 was not.
That time was affecting orbit too. We might want to have a script
running to check the signatures over there with each build?
Laurent Goubet
Obeo
On 16/02/2016 16:48, Andreas Sewe
wrote:
Hi,
David M Williams wrote:
But since there is a "bad" one out there (in Orbit, at least) with the
same version, I was suggesting to verify if it was in your project
repositories to make sure you had the good one.
If it is the good one, you get "jar verified" as above.
If it is "the bad one" it will be pretty obvious:
$ jarsigner -verify
org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar
jarsigner: java.lang.SecurityException: SHA1 digest error for
org/apache/http/client/cache/HttpCacheEntry.class
FWIW, I just found out that only the plain JAR in Orbit is "bad"; the
JAR.pack.gz is not, i.e., it unpack200s to a JAR that verifies just fine
[1]. If your build prefers pack200ed JARs over plain JARs, you should
get a "good" JAR from Orbit, but of course it's better to double-check
what you are distributing exactly.
Best wishes,
Andreas
[1] <https://bugs.eclipse.org/bugs/show_bug.cgi?id=487833#c12>
--
Laurent
Goubet
Consultant
+33
2 51 13 51 42
7 Boulevard Ampère - Carquefou -
France
obeo.fr | twitter | linkedin
|
begin:vcard
fn:Laurent Goubet
n:Goubet;Laurent
org:<a href="http://www.obeo.fr">Obeo</a>
email;internet:laurent.goubet@xxxxxxx
url:http://www.obeo.fr
version:2.1
end:vcard