You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by John McDonnell <mc...@gmail.com> on 2017/10/10 20:31:24 UTC
[MODULE REVIEW] - o.eclipse.jgit - Questions
Hi,
So I took on a what I thought would be a quick and simple module to
get into this and I have a few questions:
Module: https://github.com/apache/incubator-netbeans/tree/master/o.eclipse.jgit
1.
The RAT report currently lists:
AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/build.xml
AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/external/binaries-list
AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/nbproject/project.properties
AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/nbproject/project.xml
build.xml and project.xml files are listed in a "Problems to be solved
centrally" list, so I assume I can ignore them, but in fact, all 4
files listed above have an Apache License header...
2.
There's 1 external dependency here:
B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
I'm not sure about the nosignature part, but I can find[1] this
version which I guess is the same one, but when I change the
binaries-list file to use
B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
I got an error as the hash was wrong and had to change it to be:
47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
Should I be viewing this as a potential question mark, or is it okay?
3.
Looking back at[1] it's licensed under EDL. I assume I need to add a file:
org.eclipse.jgit-3.6.2.201501210735-r-notice.txt but I'm unsure what
to include in it/where does its content come from.
[1]: https://mvnrepository.com/artifact/org.eclipse.jgit/org.eclipse.jgit/3.6.2.201501210735-r
--
John
Re: Security clearance and regressions prevention for changed
dependencies [WAS: Re: [MODULE REVIEW] - o.eclipse.jgit - Questions]
Posted by Emilian Bold <em...@gmail.com>.
Great! Something like this would be good to know for every JAR where
the Maven hash is different.
--emi
On Wed, Oct 11, 2017 at 12:11 PM, John McDonnell
<mc...@gmail.com> wrote:
> Hi,
>
> I took a look using a tool called DeltaWalker and the only differences
> between the 2 are:
> The new version contains 2 additional files META-INF/ECLIPSE_.SF and
> META-INF/ECLIPSE_.RSA and the file META-INF/MANIFEST.MF has SHA-1
> signatures for each class found in the JAR.
>
> The class files themselves are the same between both jars.
>
> Regards
>
> John
>
>
>
>
> On 11 October 2017 at 08:47, Emilian Bold <em...@gmail.com> wrote:
>> Hello,
>>
>> It seems important to me to double-check binary dependencies where only the Maven hash changes, especially for code that's support to talk to remote servers.
>>
>> So an actual diff between JAR should be reviewed and posted.
>>
>> For this particular git JAR were only some META-INF signatures added or do .class files differ?
>>
>> --emi
>>
>> Pe 11 oct. 2017, la 08:35, Antonio <an...@vieiro.net> a scris:
>>
>>>
>>>
>>> On 11/10/17 00:59, John McDonnell wrote:
>>>>>> 2.
>>>>>>
>>>>>> There's 1 external dependency here:
>>>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>>>>
>>>>>> I'm not sure about the nosignature part, but I can find[1] this
>>>>>> version which I guess is the same one, but when I change the
>>>>>> binaries-list file to use
>>>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>>>
>>>>>> I got an error as the hash was wrong and had to change it to be:
>>>>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>>>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>>>
>>>>>> Should I be viewing this as a potential question mark, or is it okay?
>>>>>
>>>>>
>>>>> Enter the SHA-1 Checksum at the bottom of this page:
>>>>>
>>>>> http://search.maven.org/#advancedsearch
>>>>>
>>>>> And doublecheck that the version (name, etc.) is correct.
>>>> Nope, that hash didn't return anything from that search tool.
>>>
>>> This is confusing, I know, so please let me try to explain myself again.
>>>
>>> It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven central. This is so because ages ago the original jar binary file was uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D.
>>>
>>> The idea is to look up the jar again in maven central and fetch a proper binary hash sum. The error suggests (47D59DF...).
>>>
>>> What I meant when I said "doublecheck that the version is correct" is that we should now check this new checksum in the http://search.maven.org/#advancedsearch page. If we do so we get [1], which looks correct (same artifact name, same version) for this binary.
>>>
>>> So now we can get rid of that NSA/KGB binary that was once placed there in the NetBeans repository (with that B580E... checksum), and replace it with one from Maven central (with that 47D59DF... checksum). This is safer, because NSA/KGB have new hacking techniques and do deliver now new official binaries from maven central. :-D
>>>
>>> So, to summarize, we once had this line in the binaries-list file:
>>>
>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>
>>> With a SHA-1 sum that is NOT in maven central, and we now have to replace it with
>>>
>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5 org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>
>>> With corresponds to the official maven binary, with the latest NSA/KGB patches applied.
>>>
>>>
>>> [1] http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22
>>>
>>>>> If the name of the jar file is different from the original entry you'll have
>>>>> to update nbproject/project.xml and nbproject/project.properties. In your
>>>>> case the original file had a '_nosignature' thing there, which is missing in
>>>>> the file downloaded from central.
>>>
>>> The original binary was named
>>>
>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>
>>> And the one from maven central is named differently:
>>>
>>> org.eclipse.jgit-3.6.2.201501210735-r.jar
>>>
>>> So we'll have to modify nbproject/project.properties and nbproject/project.xml to reflect this name change.
>>>
>>> In project.properties we see
>>>
>>> release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar
>>>
>>> That should be changed to
>>>
>>> release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar
>>>
>>> (removing the _nosignature stuff)
>>>
>>> and in project.xml
>>>
>>> <class-path-extension>
>>> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
>>> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin>
>>> </class-path-extension>
>>>
>>> should now look like:
>>>
>>>
>>> <class-path-extension>
>>> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
>>> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin>
>>> </class-path-extension>
>>>
>>> (removing the _nosignature suffix)
>>>
>>> To verify that these changes are correct just run "ant test" in the module directory.
>>>
>>>
>>> [2] http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/
>>>
>>>
>>>> No worries, thanks for the advice. I might move this to one side and
>>>> start another module tomorrow and come back to it.
>>>
>>> Ok. Let me know if you need help (but I'll be offline for a few hours from now).
>>>
>>> Cheers,
>>> Antonio
>>>
>>>
>
>
>
> --
> John
Re: Security clearance and regressions prevention for changed
dependencies [WAS: Re: [MODULE REVIEW] - o.eclipse.jgit - Questions]
Posted by John McDonnell <mc...@gmail.com>.
Hi,
I took a look using a tool called DeltaWalker and the only differences
between the 2 are:
The new version contains 2 additional files META-INF/ECLIPSE_.SF and
META-INF/ECLIPSE_.RSA and the file META-INF/MANIFEST.MF has SHA-1
signatures for each class found in the JAR.
The class files themselves are the same between both jars.
Regards
John
On 11 October 2017 at 08:47, Emilian Bold <em...@gmail.com> wrote:
> Hello,
>
> It seems important to me to double-check binary dependencies where only the Maven hash changes, especially for code that's support to talk to remote servers.
>
> So an actual diff between JAR should be reviewed and posted.
>
> For this particular git JAR were only some META-INF signatures added or do .class files differ?
>
> --emi
>
> Pe 11 oct. 2017, la 08:35, Antonio <an...@vieiro.net> a scris:
>
>>
>>
>> On 11/10/17 00:59, John McDonnell wrote:
>>>>> 2.
>>>>>
>>>>> There's 1 external dependency here:
>>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>>>
>>>>> I'm not sure about the nosignature part, but I can find[1] this
>>>>> version which I guess is the same one, but when I change the
>>>>> binaries-list file to use
>>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>>
>>>>> I got an error as the hash was wrong and had to change it to be:
>>>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>>
>>>>> Should I be viewing this as a potential question mark, or is it okay?
>>>>
>>>>
>>>> Enter the SHA-1 Checksum at the bottom of this page:
>>>>
>>>> http://search.maven.org/#advancedsearch
>>>>
>>>> And doublecheck that the version (name, etc.) is correct.
>>> Nope, that hash didn't return anything from that search tool.
>>
>> This is confusing, I know, so please let me try to explain myself again.
>>
>> It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven central. This is so because ages ago the original jar binary file was uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D.
>>
>> The idea is to look up the jar again in maven central and fetch a proper binary hash sum. The error suggests (47D59DF...).
>>
>> What I meant when I said "doublecheck that the version is correct" is that we should now check this new checksum in the http://search.maven.org/#advancedsearch page. If we do so we get [1], which looks correct (same artifact name, same version) for this binary.
>>
>> So now we can get rid of that NSA/KGB binary that was once placed there in the NetBeans repository (with that B580E... checksum), and replace it with one from Maven central (with that 47D59DF... checksum). This is safer, because NSA/KGB have new hacking techniques and do deliver now new official binaries from maven central. :-D
>>
>> So, to summarize, we once had this line in the binaries-list file:
>>
>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>
>> With a SHA-1 sum that is NOT in maven central, and we now have to replace it with
>>
>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5 org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>
>> With corresponds to the official maven binary, with the latest NSA/KGB patches applied.
>>
>>
>> [1] http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22
>>
>>>> If the name of the jar file is different from the original entry you'll have
>>>> to update nbproject/project.xml and nbproject/project.properties. In your
>>>> case the original file had a '_nosignature' thing there, which is missing in
>>>> the file downloaded from central.
>>
>> The original binary was named
>>
>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>
>> And the one from maven central is named differently:
>>
>> org.eclipse.jgit-3.6.2.201501210735-r.jar
>>
>> So we'll have to modify nbproject/project.properties and nbproject/project.xml to reflect this name change.
>>
>> In project.properties we see
>>
>> release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar
>>
>> That should be changed to
>>
>> release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar
>>
>> (removing the _nosignature stuff)
>>
>> and in project.xml
>>
>> <class-path-extension>
>> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
>> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin>
>> </class-path-extension>
>>
>> should now look like:
>>
>>
>> <class-path-extension>
>> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
>> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin>
>> </class-path-extension>
>>
>> (removing the _nosignature suffix)
>>
>> To verify that these changes are correct just run "ant test" in the module directory.
>>
>>
>> [2] http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/
>>
>>
>>> No worries, thanks for the advice. I might move this to one side and
>>> start another module tomorrow and come back to it.
>>
>> Ok. Let me know if you need help (but I'll be offline for a few hours from now).
>>
>> Cheers,
>> Antonio
>>
>>
--
John
Security clearance and regressions prevention for changed dependencies [WAS: Re: [MODULE REVIEW] - o.eclipse.jgit - Questions]
Posted by Emilian Bold <em...@gmail.com>.
Hello,
It seems important to me to double-check binary dependencies where only the Maven hash changes, especially for code that's support to talk to remote servers.
So an actual diff between JAR should be reviewed and posted.
For this particular git JAR were only some META-INF signatures added or do .class files differ?
--emi
Pe 11 oct. 2017, la 08:35, Antonio <an...@vieiro.net> a scris:
>
>
> On 11/10/17 00:59, John McDonnell wrote:
>>>> 2.
>>>>
>>>> There's 1 external dependency here:
>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>>
>>>> I'm not sure about the nosignature part, but I can find[1] this
>>>> version which I guess is the same one, but when I change the
>>>> binaries-list file to use
>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>
>>>> I got an error as the hash was wrong and had to change it to be:
>>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>
>>>> Should I be viewing this as a potential question mark, or is it okay?
>>>
>>>
>>> Enter the SHA-1 Checksum at the bottom of this page:
>>>
>>> http://search.maven.org/#advancedsearch
>>>
>>> And doublecheck that the version (name, etc.) is correct.
>> Nope, that hash didn't return anything from that search tool.
>
> This is confusing, I know, so please let me try to explain myself again.
>
> It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven central. This is so because ages ago the original jar binary file was uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D.
>
> The idea is to look up the jar again in maven central and fetch a proper binary hash sum. The error suggests (47D59DF...).
>
> What I meant when I said "doublecheck that the version is correct" is that we should now check this new checksum in the http://search.maven.org/#advancedsearch page. If we do so we get [1], which looks correct (same artifact name, same version) for this binary.
>
> So now we can get rid of that NSA/KGB binary that was once placed there in the NetBeans repository (with that B580E... checksum), and replace it with one from Maven central (with that 47D59DF... checksum). This is safer, because NSA/KGB have new hacking techniques and do deliver now new official binaries from maven central. :-D
>
> So, to summarize, we once had this line in the binaries-list file:
>
> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>
> With a SHA-1 sum that is NOT in maven central, and we now have to replace it with
>
> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5 org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>
> With corresponds to the official maven binary, with the latest NSA/KGB patches applied.
>
>
> [1] http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22
>
>>> If the name of the jar file is different from the original entry you'll have
>>> to update nbproject/project.xml and nbproject/project.properties. In your
>>> case the original file had a '_nosignature' thing there, which is missing in
>>> the file downloaded from central.
>
> The original binary was named
>
> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>
> And the one from maven central is named differently:
>
> org.eclipse.jgit-3.6.2.201501210735-r.jar
>
> So we'll have to modify nbproject/project.properties and nbproject/project.xml to reflect this name change.
>
> In project.properties we see
>
> release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar
>
> That should be changed to
>
> release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar
>
> (removing the _nosignature stuff)
>
> and in project.xml
>
> <class-path-extension>
> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin>
> </class-path-extension>
>
> should now look like:
>
>
> <class-path-extension>
> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin>
> </class-path-extension>
>
> (removing the _nosignature suffix)
>
> To verify that these changes are correct just run "ant test" in the module directory.
>
>
> [2] http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/
>
>
>> No worries, thanks for the advice. I might move this to one side and
>> start another module tomorrow and come back to it.
>
> Ok. Let me know if you need help (but I'll be offline for a few hours from now).
>
> Cheers,
> Antonio
>
>
Re: [MODULE REVIEW] - o.eclipse.jgit - Questions
Posted by John McDonnell <mc...@gmail.com>.
That's perfect - Its sort of inline with what I was thinking and had
locally but just the 'nosignature' part and the different hash's was
confusing me.
Thanks for the explaination!
John
On 11 October 2017 at 06:35, Antonio <an...@vieiro.net> wrote:
>
>
> On 11/10/17 00:59, John McDonnell wrote:
>>>>
>>>> 2.
>>>>
>>>> There's 1 external dependency here:
>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>>
>>>> I'm not sure about the nosignature part, but I can find[1] this
>>>> version which I guess is the same one, but when I change the
>>>> binaries-list file to use
>>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>
>>>> I got an error as the hash was wrong and had to change it to be:
>>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>>
>>>> Should I be viewing this as a potential question mark, or is it okay?
>>>
>>>
>>>
>>> Enter the SHA-1 Checksum at the bottom of this page:
>>>
>>> http://search.maven.org/#advancedsearch
>>>
>>> And doublecheck that the version (name, etc.) is correct.
>>
>>
>> Nope, that hash didn't return anything from that search tool.
>
>
> This is confusing, I know, so please let me try to explain myself again.
>
> It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven
> central. This is so because ages ago the original jar binary file was
> uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D.
>
> The idea is to look up the jar again in maven central and fetch a proper
> binary hash sum. The error suggests (47D59DF...).
>
> What I meant when I said "doublecheck that the version is correct" is that
> we should now check this new checksum in the
> http://search.maven.org/#advancedsearch page. If we do so we get [1], which
> looks correct (same artifact name, same version) for this binary.
>
> So now we can get rid of that NSA/KGB binary that was once placed there in
> the NetBeans repository (with that B580E... checksum), and replace it with
> one from Maven central (with that 47D59DF... checksum). This is safer,
> because NSA/KGB have new hacking techniques and do deliver now new official
> binaries from maven central. :-D
>
> So, to summarize, we once had this line in the binaries-list file:
>
> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>
> With a SHA-1 sum that is NOT in maven central, and we now have to replace it
> with
>
> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>
> With corresponds to the official maven binary, with the latest NSA/KGB
> patches applied.
>
>
> [1]
> http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22
>
>>
>>> If the name of the jar file is different from the original entry you'll
>>> have
>>> to update nbproject/project.xml and nbproject/project.properties. In your
>>> case the original file had a '_nosignature' thing there, which is missing
>>> in
>>> the file downloaded from central.
>
>
> The original binary was named
>
> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>
> And the one from maven central is named differently:
>
> org.eclipse.jgit-3.6.2.201501210735-r.jar
>
> So we'll have to modify nbproject/project.properties and
> nbproject/project.xml to reflect this name change.
>
> In project.properties we see
>
> release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar
>
> That should be changed to
>
> release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar
>
> (removing the _nosignature stuff)
>
> and in project.xml
>
> <class-path-extension>
>
> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
>
> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin>
> </class-path-extension>
>
> should now look like:
>
>
> <class-path-extension>
>
> <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
>
> <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin>
> </class-path-extension>
>
> (removing the _nosignature suffix)
>
> To verify that these changes are correct just run "ant test" in the module
> directory.
>
>
> [2]
> http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/
>
>
>>
>> No worries, thanks for the advice. I might move this to one side and
>> start another module tomorrow and come back to it.
>>
>
> Ok. Let me know if you need help (but I'll be offline for a few hours from
> now).
>
> Cheers,
> Antonio
>
>
--
John
Re: [MODULE REVIEW] - o.eclipse.jgit - Questions
Posted by Antonio <an...@vieiro.net>.
On 11/10/17 00:59, John McDonnell wrote:
>>> 2.
>>>
>>> There's 1 external dependency here:
>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>
>>> I'm not sure about the nosignature part, but I can find[1] this
>>> version which I guess is the same one, but when I change the
>>> binaries-list file to use
>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>
>>> I got an error as the hash was wrong and had to change it to be:
>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>
>>> Should I be viewing this as a potential question mark, or is it okay?
>>
>>
>> Enter the SHA-1 Checksum at the bottom of this page:
>>
>> http://search.maven.org/#advancedsearch
>>
>> And doublecheck that the version (name, etc.) is correct.
>
> Nope, that hash didn't return anything from that search tool.
This is confusing, I know, so please let me try to explain myself again.
It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven
central. This is so because ages ago the original jar binary file was
uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D.
The idea is to look up the jar again in maven central and fetch a proper
binary hash sum. The error suggests (47D59DF...).
What I meant when I said "doublecheck that the version is correct" is
that we should now check this new checksum in the
http://search.maven.org/#advancedsearch page. If we do so we get [1],
which looks correct (same artifact name, same version) for this binary.
So now we can get rid of that NSA/KGB binary that was once placed there
in the NetBeans repository (with that B580E... checksum), and replace it
with one from Maven central (with that 47D59DF... checksum). This is
safer, because NSA/KGB have new hacking techniques and do deliver now
new official binaries from maven central. :-D
So, to summarize, we once had this line in the binaries-list file:
B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
With a SHA-1 sum that is NOT in maven central, and we now have to
replace it with
47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
With corresponds to the official maven binary, with the latest NSA/KGB
patches applied.
[1]
http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22
>
>> If the name of the jar file is different from the original entry you'll have
>> to update nbproject/project.xml and nbproject/project.properties. In your
>> case the original file had a '_nosignature' thing there, which is missing in
>> the file downloaded from central.
The original binary was named
org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
And the one from maven central is named differently:
org.eclipse.jgit-3.6.2.201501210735-r.jar
So we'll have to modify nbproject/project.properties and
nbproject/project.xml to reflect this name change.
In project.properties we see
release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar
That should be changed to
release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar
(removing the _nosignature stuff)
and in project.xml
<class-path-extension>
<runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
<binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin>
</class-path-extension>
should now look like:
<class-path-extension>
<runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
<binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin>
</class-path-extension>
(removing the _nosignature suffix)
To verify that these changes are correct just run "ant test" in the
module directory.
[2]
http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/
>
> No worries, thanks for the advice. I might move this to one side and
> start another module tomorrow and come back to it.
>
Ok. Let me know if you need help (but I'll be offline for a few hours
from now).
Cheers,
Antonio
Re: [MODULE REVIEW] - o.eclipse.jgit - Questions
Posted by John McDonnell <mc...@gmail.com>.
>> 1.
>>
>> The RAT report currently lists:
>>
>> AL
>> /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/build.xml
>> AL
>> /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/external/binaries-list
>> AL
>> /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/nbproject/project.properties
>> AL
>> /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/nbproject/project.xml
>>
>> build.xml and project.xml files are listed in a "Problems to be solved
>> centrally" list, so I assume I can ignore them, but in fact, all 4
>> files listed above have an Apache License header...
>>
>
> I do add Apache license headers to these, I think.
That's okay, they all have AL license headers. - So question closed :)
>> 2.
>>
>> There's 1 external dependency here:
>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>
>> I'm not sure about the nosignature part, but I can find[1] this
>> version which I guess is the same one, but when I change the
>> binaries-list file to use
>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>
>> I got an error as the hash was wrong and had to change it to be:
>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>
>> Should I be viewing this as a potential question mark, or is it okay?
>
>
> Enter the SHA-1 Checksum at the bottom of this page:
>
> http://search.maven.org/#advancedsearch
>
> And doublecheck that the version (name, etc.) is correct.
Nope, that hash didn't return anything from that search tool.
> If the name of the jar file is different from the original entry you'll have
> to update nbproject/project.xml and nbproject/project.properties. In your
> case the original file had a '_nosignature' thing there, which is missing in
> the file downloaded from central.
>
> For an example of this case of different names you can see
> libs.xerces/external/binaries-list (once it's committed). The file
> downloaded from maven is xercesImpl-2.8.0.jar, but the original file was
> xerces.2.8.0.jar, that name change had to be reflected in
> nbproject/project.xml and nbproject/project.properties.
I assume though in your scenario that the hashes were the same though,
so a simple rename is probably okay.
>>
>> 3.
>>
>> Looking back at[1] it's licensed under EDL. I assume I need to add a
>> file:
>> org.eclipse.jgit-3.6.2.201501210735-r-notice.txt but I'm unsure what
>> to include in it/where does its content come from.
>
>
> I visit the project's repository and then find the proper version. Some of
> them have a notice file there, some others (libs.smack, for instance) don't
> have one.
No, I checked the source repo for JGit, and there's no Notice file.
> Hope this helps,
> Antonio
No worries, thanks for the advice. I might move this to one side and
start another module tomorrow and come back to it.
--
John
Re: [MODULE REVIEW] - o.eclipse.jgit - Questions
Posted by Antonio <an...@vieiro.net>.
On 10/10/17 22:31, John McDonnell wrote:
> Hi,
>
> So I took on a what I thought would be a quick and simple module to
> get into this and I have a few questions:
>
> Module: https://github.com/apache/incubator-netbeans/tree/master/o.eclipse.jgit
>
> 1.
>
> The RAT report currently lists:
>
> AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/build.xml
> AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/external/binaries-list
> AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/nbproject/project.properties
> AL /home/jenkins/jenkins-slave/workspace/incubator-netbeans-linux/o.eclipse.jgit/nbproject/project.xml
>
> build.xml and project.xml files are listed in a "Problems to be solved
> centrally" list, so I assume I can ignore them, but in fact, all 4
> files listed above have an Apache License header...
>
I do add Apache license headers to these, I think.
> 2.
>
> There's 1 external dependency here:
> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>
> I'm not sure about the nosignature part, but I can find[1] this
> version which I guess is the same one, but when I change the
> binaries-list file to use
> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>
> I got an error as the hash was wrong and had to change it to be:
> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>
> Should I be viewing this as a potential question mark, or is it okay?
Enter the SHA-1 Checksum at the bottom of this page:
http://search.maven.org/#advancedsearch
And doublecheck that the version (name, etc.) is correct.
If the name of the jar file is different from the original entry you'll
have to update nbproject/project.xml and nbproject/project.properties.
In your case the original file had a '_nosignature' thing there, which
is missing in the file downloaded from central.
For an example of this case of different names you can see
libs.xerces/external/binaries-list (once it's committed). The file
downloaded from maven is xercesImpl-2.8.0.jar, but the original file was
xerces.2.8.0.jar, that name change had to be reflected in
nbproject/project.xml and nbproject/project.properties.
>
> 3.
>
> Looking back at[1] it's licensed under EDL. I assume I need to add a file:
> org.eclipse.jgit-3.6.2.201501210735-r-notice.txt but I'm unsure what
> to include in it/where does its content come from.
I visit the project's repository and then find the proper version. Some
of them have a notice file there, some others (libs.smack, for instance)
don't have one.
Hope this helps,
Antonio