You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by Brett Porter <br...@gmail.com> on 2004/09/28 17:38:00 UTC
old JAR files changed in java-repository
I tried to build maven 1.0 clean today and found out that on Sep 2,
commons-jelly and a few of its tag libs had changed on ibiblio. These
were already released jars that changed size. I checked around and
discovered the source of the change seems to be java-repository at
Apache.
Any ideas how this happened?
One particular offending file:
> ls -l /www/www.apache.org/dist/java-repository/commons-jelly/jars/ | grep 20030902
-rw-r--r-- 1 mdiggory jakarta 161479 Sep 2 00:08
commons-jelly-20030902.160215.jar
> md5 </www/www.apache.org/dist/java-repository/commons-jelly/jars/commons-jelly-20030902.160215.jar
d1e3117b90f697e6503e4ddf76bc0402
The original:
[maven@tribal repaired]$ md5sum
commons-jelly/jars/commons-jelly-20030902.160215.jar
b171e535366191e437cff6d64df33561
commons-jelly/jars/commons-jelly-20030902.160215.jar
[maven@tribal repaired]$ ls -l
commons-jelly/jars/commons-jelly-20030902.160215.jar
-rwxr-xr-x 1 maven users 154418 Sep 28 09:00
commons-jelly/jars/commons-jelly-20030902.160215.jar
(this is identical to the version distributed with Maven 1.0 back in July)
The full list from the Maven 1.0 build that differ:
commons-jelly/jars/commons-jelly-20030902.160215.jar
commons-jelly/jars/commons-jelly-tags-antlr-20030211.143720.jar
commons-jelly/jars/commons-jelly-tags-define-20030211.142932.jar
commons-jelly/jars/commons-jelly-tags-html-20030317.100924.jar
commons-jelly/jars/commons-jelly-tags-interaction-20030211.143817.jar
commons-jelly/jars/commons-jelly-tags-jsl-20030211.143151.jar
commons-jelly/jars/commons-jelly-tags-log-20030211.142821.jar
commons-jelly/jars/commons-jelly-tags-swing-20030211.143925.jar
commons-jelly/jars/commons-jelly-tags-util-20030211.141939.jar
commons-jelly/jars/commons-jelly-tags-velocity-20030303.205659.jar
commons-jelly/jars/commons-jelly-tags-xml-20030211.142705.jar
I have corrected the versions on ibiblio (being newer, they should
stay that way), but left Apache alone to find out what happened. I'd
really like to know if we can resolve this to avoid it in the future,
and to see if anything else was possibly affected.
Thanks,
Brett
Re: old JAR files changed in java-repository
Posted by Brett Porter <br...@gmail.com>.
Hi Mark,
I'm going to need to you to take a look at this. The bad versions on
www.apache.org/dist/java-repository aren't writeable by anyone but
you, and they keep syncing over the top of the ones at ibiblio.
I have dropped the original JARs here:
http://www.apache.org/~brett/repaired_repo/commons-jelly/jars/
(you can obviously grab these directly on cvs.apache.org)
I'd really appreciate you looking into this, so that the corrupted
jars don't spread.
I still have no idea how the jars actually got changed... weird.
Thanks,
Brett
On Wed, 29 Sep 2004 01:38:00 +1000, Brett Porter <br...@gmail.com> wrote:
> I tried to build maven 1.0 clean today and found out that on Sep 2,
> commons-jelly and a few of its tag libs had changed on ibiblio. These
> were already released jars that changed size. I checked around and
> discovered the source of the change seems to be java-repository at
> Apache.
>
> Any ideas how this happened?
>
> One particular offending file:
> > ls -l /www/www.apache.org/dist/java-repository/commons-jelly/jars/ | grep 20030902
> -rw-r--r-- 1 mdiggory jakarta 161479 Sep 2 00:08
> commons-jelly-20030902.160215.jar
> > md5 </www/www.apache.org/dist/java-repository/commons-jelly/jars/commons-jelly-20030902.160215.jar
> d1e3117b90f697e6503e4ddf76bc0402
>
> The original:
> [maven@tribal repaired]$ md5sum
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> b171e535366191e437cff6d64df33561
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> [maven@tribal repaired]$ ls -l
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> -rwxr-xr-x 1 maven users 154418 Sep 28 09:00
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> (this is identical to the version distributed with Maven 1.0 back in July)
>
> The full list from the Maven 1.0 build that differ:
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> commons-jelly/jars/commons-jelly-tags-antlr-20030211.143720.jar
> commons-jelly/jars/commons-jelly-tags-define-20030211.142932.jar
> commons-jelly/jars/commons-jelly-tags-html-20030317.100924.jar
> commons-jelly/jars/commons-jelly-tags-interaction-20030211.143817.jar
> commons-jelly/jars/commons-jelly-tags-jsl-20030211.143151.jar
> commons-jelly/jars/commons-jelly-tags-log-20030211.142821.jar
> commons-jelly/jars/commons-jelly-tags-swing-20030211.143925.jar
> commons-jelly/jars/commons-jelly-tags-util-20030211.141939.jar
> commons-jelly/jars/commons-jelly-tags-velocity-20030303.205659.jar
> commons-jelly/jars/commons-jelly-tags-xml-20030211.142705.jar
>
> I have corrected the versions on ibiblio (being newer, they should
> stay that way), but left Apache alone to find out what happened. I'd
> really like to know if we can resolve this to avoid it in the future,
> and to see if anything else was possibly affected.
>
> Thanks,
> Brett
>
Re: old JAR files changed in java-repository
Posted by bw...@iinet.net.au.
I'll set up a tripwiresque check of the repository. If anything changes, it will
be reported on (except for things with -SNAPSHOT in their name).
Quoting Brett Porter <br...@gmail.com>:
> > I suspect this is the same issue encountered earlier in the month where
> > Dion Gillard had updated/published some jars using maven. At the same
> > point in time some modifications occurred int he directory which we
> > could not identify the origin of.
>
> Maven was previously setting some funny permissions (recent release
> has fixed that), but I can't think of any reason why it would
> overwrite an existing JAR with a relatively obscure name with
> something different. Not only that, but a selected series of JARs.
>
> I don't have access to the repo at the moment, but I wonder if it is
> possible that there are still symlinks for those particular snapshots
> and the target was overwritten?
>
> > The best I personally can do to get this started is to restrict the
> > rights to files that at least I own at the moment (if only because I
> > transfered the content originally from ibiblio to apache) and then
> > transfer the rights to those files to the appropriate group/user on a
> > case by case basis.
>
> Sounds like a plan.
>
> >
> > Brett, I'll open these files specifically with write access to the
> > jakarta group, you then should be able to update them. I also recommend
> > that you take ownership of them by moving them to temp files and back to
> > change the ownership to your userid. Then restrict the group ownership
> > so only you (or other Commons Jelly Developers) have rights to write them.
>
> Will do when I get home.
>
> Thanks,
> Brett
>
Re: old JAR files changed in java-repository
Posted by Brett Porter <br...@gmail.com>.
> I suspect this is the same issue encountered earlier in the month where
> Dion Gillard had updated/published some jars using maven. At the same
> point in time some modifications occurred int he directory which we
> could not identify the origin of.
Maven was previously setting some funny permissions (recent release
has fixed that), but I can't think of any reason why it would
overwrite an existing JAR with a relatively obscure name with
something different. Not only that, but a selected series of JARs.
I don't have access to the repo at the moment, but I wonder if it is
possible that there are still symlinks for those particular snapshots
and the target was overwritten?
> The best I personally can do to get this started is to restrict the
> rights to files that at least I own at the moment (if only because I
> transfered the content originally from ibiblio to apache) and then
> transfer the rights to those files to the appropriate group/user on a
> case by case basis.
Sounds like a plan.
>
> Brett, I'll open these files specifically with write access to the
> jakarta group, you then should be able to update them. I also recommend
> that you take ownership of them by moving them to temp files and back to
> change the ownership to your userid. Then restrict the group ownership
> so only you (or other Commons Jelly Developers) have rights to write them.
Will do when I get home.
Thanks,
Brett
Re: old JAR files changed in java-repository
Posted by "Mark R. Diggory" <md...@apache.org>.
Brett,
I suspect this is the same issue encountered earlier in the month where
Dion Gillard had updated/published some jars using maven. At the same
point in time some modifications occurred int he directory which we
could not identify the origin of.
Too alleviate some of the issues with the fact that anyone in group
apcvs could alter any files in the repository. We've begun a slow
process of privatizing the files so that only members of a specific
group (jakarta,xml etc) have rights to alter the content of the original
artifact/md5 pair.
The best I personally can do to get this started is to restrict the
rights to files that at least I own at the moment (if only because I
transfered the content originally from ibiblio to apache) and then
transfer the rights to those files to the appropriate group/user on a
case by case basis.
Brett, I'll open these files specifically with write access to the
jakarta group, you then should be able to update them. I also recommend
that you take ownership of them by moving them to temp files and back to
change the ownership to your userid. Then restrict the group ownership
so only you (or other Commons Jelly Developers) have rights to write them.
-Mark
Brett Porter wrote:
> I tried to build maven 1.0 clean today and found out that on Sep 2,
> commons-jelly and a few of its tag libs had changed on ibiblio. These
> were already released jars that changed size. I checked around and
> discovered the source of the change seems to be java-repository at
> Apache.
>
> Any ideas how this happened?
>
> One particular offending file:
>
>>ls -l /www/www.apache.org/dist/java-repository/commons-jelly/jars/ | grep 20030902
>
> -rw-r--r-- 1 mdiggory jakarta 161479 Sep 2 00:08
> commons-jelly-20030902.160215.jar
>
>>md5 </www/www.apache.org/dist/java-repository/commons-jelly/jars/commons-jelly-20030902.160215.jar
>
> d1e3117b90f697e6503e4ddf76bc0402
>
> The original:
> [maven@tribal repaired]$ md5sum
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> b171e535366191e437cff6d64df33561
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> [maven@tribal repaired]$ ls -l
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> -rwxr-xr-x 1 maven users 154418 Sep 28 09:00
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> (this is identical to the version distributed with Maven 1.0 back in July)
>
> The full list from the Maven 1.0 build that differ:
> commons-jelly/jars/commons-jelly-20030902.160215.jar
> commons-jelly/jars/commons-jelly-tags-antlr-20030211.143720.jar
> commons-jelly/jars/commons-jelly-tags-define-20030211.142932.jar
> commons-jelly/jars/commons-jelly-tags-html-20030317.100924.jar
> commons-jelly/jars/commons-jelly-tags-interaction-20030211.143817.jar
> commons-jelly/jars/commons-jelly-tags-jsl-20030211.143151.jar
> commons-jelly/jars/commons-jelly-tags-log-20030211.142821.jar
> commons-jelly/jars/commons-jelly-tags-swing-20030211.143925.jar
> commons-jelly/jars/commons-jelly-tags-util-20030211.141939.jar
> commons-jelly/jars/commons-jelly-tags-velocity-20030303.205659.jar
> commons-jelly/jars/commons-jelly-tags-xml-20030211.142705.jar
>
> I have corrected the versions on ibiblio (being newer, they should
> stay that way), but left Apache alone to find out what happened. I'd
> really like to know if we can resolve this to avoid it in the future,
> and to see if anything else was possibly affected.
>
> Thanks,
> Brett
--
Mark Diggory
Open Source Software Developer
Apache Jakarta Project
http://jakarta.apache.org