Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] different signatures, but same content orbit bundles?

On Mon, 2020-10-19 at 12:32 -0400, Jonah Graham wrote:
> Hello folks,
> The orbit project seems to be publishing different bundles with the
> same qualified name, but different content, at least different
> signatures.
> I came across this because 2020-09 Simrel
> has org.apache.commons.lang3 with an old signature, but the content
> qualifier of the jar is the same as Orbit's 2020-09 R repo.
> Should Orbit have the same qualified version that only differs by
> signature? Is that expected?
> I came across this (and the related can of worms) trying to track
> down Bug 499207 and explain it but
looking from the bug, you've also found the reason.

Many old bundles have not been rebuilt using orbit-recipes and were
carried along in the old repository (hence the really old qualifiers
from eg. 2014). For many of these, their certificates will eventually
expire requiring them to either be moved over to orbit-recipes, or re-
signed. Given how many there are, I think re-signing is the approach to
take, and removing what isn't needed anymore.

I kept the qualifiers the same as the approach to take was easier that
way, and didn't require updating them in other places where they might
be hard-coded.

Roland Grunberg

Back to the top