You are viewing a plain text version of this content. The canonical link for it is here.

Posted to repository@apache.org by Steve Loughran <st...@gmail.com> on 2010/09/10 14:09:11 UTC

bad checksums in activemq-protobuf-1.1.pom

The pom file to go with  activemq-protobuf-1.1.pom has different
checksums from those alongside it.
http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom

http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
says 255bd0c7703022d85da7416f87802a11053de120

but shasum activemq-protobuf-1.1.pom
c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e  activemq-protobuf-1.1.pom

Seems to me we should have a policy wrt invalid checksums. The
simplest is, going forwards,  don't allow artifacts that are
inconsistent, for security reasons. For stuff that is already up
there, after telling off the relevant teams and getting them to verify
the JAR/POM by hand against their release artifacts, maybe we should
rm or update the checksums,

Re: bad checksums in activemq-protobuf-1.1.pom

Posted by Steve Loughran <st...@gmail.com>.

thanks!

On 10 September 2010 14:06, Juven Xu <ju...@sonatype.com> wrote:
> the incorrect checksums are from repository.apache.org, I just fixed them
> [0] by running a nexus rebuild metadata task, correct sha1 files will be
> synced to central [1] in 4 hours
>
> note that ibiblio is only mirror of central, so we can't guarantee when the
> correct data will be synced to it
>
> nexus checksum staging rule was already enabled on repository.apache.org, so
> we can make sure future apache releases won't have incorrect checksums
>
> [0]
> https://repository.apache.org/content/repositories/releases/org/apache/activemq/protobuf/activemq-protobuf/1.1/
> [1]
> http://repo1.maven.org/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/
>
> On Fri, Sep 10, 2010 at 8:09 PM, Steve Loughran <st...@gmail.com>
> wrote:
>>
>> The pom file to go with  activemq-protobuf-1.1.pom has different
>> checksums from those alongside it.
>>
>> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom
>>
>>
>> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
>> says 255bd0c7703022d85da7416f87802a11053de120
>>
>> but shasum activemq-protobuf-1.1.pom
>> c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e  activemq-protobuf-1.1.pom
>>
>> Seems to me we should have a policy wrt invalid checksums. The
>> simplest is, going forwards,  don't allow artifacts that are
>> inconsistent, for security reasons. For stuff that is already up
>> there, after telling off the relevant teams and getting them to verify
>> the JAR/POM by hand against their release artifacts, maybe we should
>> rm or update the checksums,
>
>
>
> --
> - juven
>

Re: bad checksums in activemq-protobuf-1.1.pom

Posted by Juven Xu <ju...@sonatype.com>.

the incorrect checksums are from repository.apache.org, I just fixed them
[0] by running a nexus rebuild metadata task, correct sha1 files will be
synced to central [1] in 4 hours

note that ibiblio is only mirror of central, so we can't guarantee when the
correct data will be synced to it

nexus checksum staging rule was already enabled on repository.apache.org, so
we can make sure future apache releases won't have incorrect checksums

[0]
https://repository.apache.org/content/repositories/releases/org/apache/activemq/protobuf/activemq-protobuf/1.1/
[1]
http://repo1.maven.org/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/

On Fri, Sep 10, 2010 at 8:09 PM, Steve Loughran <st...@gmail.com>wrote:

> The pom file to go with  activemq-protobuf-1.1.pom has different
> checksums from those alongside it.
>
> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom
>
>
> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
> says 255bd0c7703022d85da7416f87802a11053de120
>
> but shasum activemq-protobuf-1.1.pom
> c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e  activemq-protobuf-1.1.pom
>
> Seems to me we should have a policy wrt invalid checksums. The
> simplest is, going forwards,  don't allow artifacts that are
> inconsistent, for security reasons. For stuff that is already up
> there, after telling off the relevant teams and getting them to verify
> the JAR/POM by hand against their release artifacts, maybe we should
> rm or update the checksums,
>



-- 
- juven