You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by Steve Loughran <st...@gmail.com> on 2010/09/10 14:09:11 UTC
bad checksums in activemq-protobuf-1.1.pom
The pom file to go with activemq-protobuf-1.1.pom has different
checksums from those alongside it.
http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom
http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
says 255bd0c7703022d85da7416f87802a11053de120
but shasum activemq-protobuf-1.1.pom
c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e activemq-protobuf-1.1.pom
Seems to me we should have a policy wrt invalid checksums. The
simplest is, going forwards, don't allow artifacts that are
inconsistent, for security reasons. For stuff that is already up
there, after telling off the relevant teams and getting them to verify
the JAR/POM by hand against their release artifacts, maybe we should
rm or update the checksums,
Re: bad checksums in activemq-protobuf-1.1.pom
Posted by Steve Loughran <st...@gmail.com>.
thanks!
On 10 September 2010 14:06, Juven Xu <ju...@sonatype.com> wrote:
> the incorrect checksums are from repository.apache.org, I just fixed them
> [0] by running a nexus rebuild metadata task, correct sha1 files will be
> synced to central [1] in 4 hours
>
> note that ibiblio is only mirror of central, so we can't guarantee when the
> correct data will be synced to it
>
> nexus checksum staging rule was already enabled on repository.apache.org, so
> we can make sure future apache releases won't have incorrect checksums
>
> [0]
> https://repository.apache.org/content/repositories/releases/org/apache/activemq/protobuf/activemq-protobuf/1.1/
> [1]
> http://repo1.maven.org/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/
>
> On Fri, Sep 10, 2010 at 8:09 PM, Steve Loughran <st...@gmail.com>
> wrote:
>>
>> The pom file to go with activemq-protobuf-1.1.pom has different
>> checksums from those alongside it.
>>
>> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom
>>
>>
>> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
>> says 255bd0c7703022d85da7416f87802a11053de120
>>
>> but shasum activemq-protobuf-1.1.pom
>> c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e activemq-protobuf-1.1.pom
>>
>> Seems to me we should have a policy wrt invalid checksums. The
>> simplest is, going forwards, don't allow artifacts that are
>> inconsistent, for security reasons. For stuff that is already up
>> there, after telling off the relevant teams and getting them to verify
>> the JAR/POM by hand against their release artifacts, maybe we should
>> rm or update the checksums,
>
>
>
> --
> - juven
>
Re: bad checksums in activemq-protobuf-1.1.pom
Posted by Juven Xu <ju...@sonatype.com>.
the incorrect checksums are from repository.apache.org, I just fixed them
[0] by running a nexus rebuild metadata task, correct sha1 files will be
synced to central [1] in 4 hours
note that ibiblio is only mirror of central, so we can't guarantee when the
correct data will be synced to it
nexus checksum staging rule was already enabled on repository.apache.org, so
we can make sure future apache releases won't have incorrect checksums
[0]
https://repository.apache.org/content/repositories/releases/org/apache/activemq/protobuf/activemq-protobuf/1.1/
[1]
http://repo1.maven.org/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/
On Fri, Sep 10, 2010 at 8:09 PM, Steve Loughran <st...@gmail.com>wrote:
> The pom file to go with activemq-protobuf-1.1.pom has different
> checksums from those alongside it.
>
> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom
>
>
> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
> says 255bd0c7703022d85da7416f87802a11053de120
>
> but shasum activemq-protobuf-1.1.pom
> c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e activemq-protobuf-1.1.pom
>
> Seems to me we should have a policy wrt invalid checksums. The
> simplest is, going forwards, don't allow artifacts that are
> inconsistent, for security reasons. For stuff that is already up
> there, after telling off the relevant teams and getting them to verify
> the JAR/POM by hand against their release artifacts, maybe we should
> rm or update the checksums,
>
--
- juven