Re: [orbit-dev] different signatures, but same content orbit bundles?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [orbit-dev] different signatures, but same content orbit bundles?

From: Jonah Graham <jonah@xxxxxxxxxxxxxxxx>
Date: Mon, 19 Oct 2020 13:18:39 -0400
Delivered-to: orbit-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/orbit-dev>
List-help: <mailto:orbit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=unsubscribe>

On Mon, 19 Oct 2020 at 13:08, Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:

On Mon, 2020-10-19 at 12:32 -0400, Jonah Graham wrote:
> Hello folks,
>
> The orbit project seems to be publishing different bundles with the
> same qualified name, but different content, at least different
> signatures.
>
> I came across this because 2020-09 Simrel
> has org.apache.commons.lang3 with an old signature, but the content
> qualifier of the jar is the same as Orbit's 2020-09 R repo.
>
> Should Orbit have the same qualified version that only differs by
> signature? Is that expected?
>
> I came across this (and the related can of worms) trying to track
> down Bug 499207

https://bugs.eclipse.org/bugs/show_bug.cgi?id=552251#c14 and
https://bugs.eclipse.org/bugs/show_bug.cgi?id=553288 explain it but
looking from the bug, you've also found the reason.

Many old bundles have not been rebuilt using orbit-recipes and were
carried along in the old repository (hence the really old qualifiers
from eg. 2014). For many of these, their certificates will eventually
expire requiring them to either be moved over to orbit-recipes, or re-
signed. Given how many there are, I think re-signing is the approach to
take, and removing what isn't needed anymore.

I kept the qualifiers the same as the approach to take was easier that
way, and didn't require updating them in other places where they might
be hard-coded.

Thanks Roland for the extra background. That covers some of the cases. However I am seeing lots of cases of Orbit having a validly signed bundle, but SimRel has the older version in it because one of the projects with the dependency are using old (sometimes very old) orbits in their target platform. At the moment the policy is that Orbit does not contribute to SimRel directly, but each project does instead. Is there some way we can make sure that the bundles with the same fully qualified version in simrel are from the latest orbit build?

Is this just an extra validation step we have to add, or is there something deeper going on here that I am unaware of.

Thanks,
Jonah

--
Roland Grunberg

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev

Follow-Ups:
- Re: [orbit-dev] different signatures, but same content orbit bundles?
  - From: Roland Grunberg

References:
- [orbit-dev] different signatures, but same content orbit bundles?
  - From: Jonah Graham
- Re: [orbit-dev] different signatures, but same content orbit bundles?
  - From: Roland Grunberg

Prev by Date: Re: [orbit-dev] different signatures, but same content orbit bundles?
Next by Date: Re: [orbit-dev] [EXTERNAL] - Re: batik transcoder from 1.9 to 1.11
Previous by thread: Re: [orbit-dev] different signatures, but same content orbit bundles?
Next by thread: Re: [orbit-dev] different signatures, but same content orbit bundles?
Index(es):
- Date
- Thread

Breadcrumbs