You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Carlos Sanchez <ca...@apache.org> on 2007/06/26 22:27:47 UTC
Maven 2.0.6 release badly signed or changed
The checksums and signature don't match the pom
http://jira.codehaus.org/browse/MEV-530
--
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
-- The Princess Bride
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven 2.0.6 release badly signed or changed
Posted by Jason van Zyl <ja...@maven.org>.
On 27 Jun 07, at 7:45 PM 27 Jun 07, Daniel Kulp wrote:
>
> Maven 2.0.4 had this problem where all the poms ended up with bad sigs
> due to the pom changing (pom re-write) during deploy. Maven 2.0.5
> fixed that. Did 2.0.6 regress?
>
No, the POM is still untouched. The license files are still intact here:
http://repo1.maven.org/maven2/org/apache/maven/maven/2.0.7/
maven-2.0.7.pom
> Dan
>
>
> On Tuesday 26 June 2007 18:28, Jason van Zyl wrote:
>> On 26 Jun 07, at 3:09 PM 26 Jun 07, Arnaud HERITIER wrote:
>>> I don't think that it could be problem in the gpg plugin. I
>>> copied/adapted its code in the artifact plugin for m1 and it seems
>>> to work fine (but we don't have to move artifacts between repos)
>>
>> I'm trying some installs and deploys, and I don't think it's
>> affecting anything that isn't a POM. I'm going on the hunch there is
>> a rename problem somewhere along the way. I'll keep hunting.
>>
>>> Arnaud
>>>
>>> On 26/06/07, Jason van Zyl <ja...@maven.org> wrote:
>>>> On 26 Jun 07, at 2:23 PM 26 Jun 07, Jason van Zyl wrote:
>>>>> On 26 Jun 07, at 1:27 PM 26 Jun 07, Carlos Sanchez wrote:
>>>>>> The checksums and signature don't match the pom
>>>>>>
>>>>>> http://jira.codehaus.org/browse/MEV-530
>>>>>
>>>>> It's not just that it's all of them.
>>>>
>>>> By this I mean POMs. The 2.0.7 Maven parent POM has a bad
>>>> signature. I haven't tried anything else but looking at the code it
>>>> looks like it might be a renaming problem i.e. not being signed in
>>>> the same form and renamed together.
>>>>
>>>>> I checked the staging repository and the production repository
>>>>> and the signature is bad in both places and all the files
>>>>> identical in both places. So it's being generated incorrectly, or
>>>>> being corrupted during the deployment. If I sign it from the
>>>>> command line the signature is fine. The key I generate from the
>>>>> command line and what's in the repo aren't even vaguely similar.
>>>>> I will take a look at the GPG plugin. That's my first guess.
>>>>>
>>>>>> --
>>>>>> I could give you my word as a Spaniard.
>>>>>> No good. I've known too many Spaniards.
>>>>>> -- The Princess Bride
>>>>
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>>>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>>>>>> For additional commands, e-mail: dev-help@maven.apache.org
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jason
>>>>>
>>>>> ----------------------------------------------------------
>>>>> Jason van Zyl
>>>>> Founder and PMC Chair, Apache Maven
>>>>> jason at sonatype dot com
>>>>> ----------------------------------------------------------
>>>>
>>>> -------------------------------------------------------------------
>>>> --
>>>>
>>>>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>>>>> For additional commands, e-mail: dev-help@maven.apache.org
>>>>
>>>> Thanks,
>>>>
>>>> Jason
>>>>
>>>> ----------------------------------------------------------
>>>> Jason van Zyl
>>>> Founder and PMC Chair, Apache Maven
>>>> jason at sonatype dot com
>>>> ----------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>>>> For additional commands, e-mail: dev-help@maven.apache.org
>>>
>>> --
>>> ..........................................................
>>> Arnaud HERITIER
>>> ..........................................................
>>> OCTO Technology - aheritier@octo.com
>>> www.octo.com | blog.octo.com
>>> ..........................................................
>>> ASF - aheritier@apache.org
>>> www.apache.org | maven.apache.org
>>> ...........................................................
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>> Thanks,
>>
>> Jason
>>
>> ----------------------------------------------------------
>> Jason van Zyl
>> Founder and PMC Chair, Apache Maven
>> jason at sonatype dot com
>> ----------------------------------------------------------
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>
> --
> J. Daniel Kulp
> Principal Engineer
> IONA
> P: 781-902-8727 C: 508-380-7194
> daniel.kulp@iona.com
> http://www.dankulp.com/blog
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder and PMC Chair, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven 2.0.6 release badly signed or changed
Posted by Daniel Kulp <dk...@apache.org>.
Maven 2.0.4 had this problem where all the poms ended up with bad sigs
due to the pom changing (pom re-write) during deploy. Maven 2.0.5
fixed that. Did 2.0.6 regress?
Dan
On Tuesday 26 June 2007 18:28, Jason van Zyl wrote:
> On 26 Jun 07, at 3:09 PM 26 Jun 07, Arnaud HERITIER wrote:
> > I don't think that it could be problem in the gpg plugin. I
> > copied/adapted its code in the artifact plugin for m1 and it seems
> > to work fine (but we don't have to move artifacts between repos)
>
> I'm trying some installs and deploys, and I don't think it's
> affecting anything that isn't a POM. I'm going on the hunch there is
> a rename problem somewhere along the way. I'll keep hunting.
>
> > Arnaud
> >
> > On 26/06/07, Jason van Zyl <ja...@maven.org> wrote:
> >> On 26 Jun 07, at 2:23 PM 26 Jun 07, Jason van Zyl wrote:
> >> > On 26 Jun 07, at 1:27 PM 26 Jun 07, Carlos Sanchez wrote:
> >> >> The checksums and signature don't match the pom
> >> >>
> >> >> http://jira.codehaus.org/browse/MEV-530
> >> >
> >> > It's not just that it's all of them.
> >>
> >> By this I mean POMs. The 2.0.7 Maven parent POM has a bad
> >> signature. I haven't tried anything else but looking at the code it
> >> looks like it might be a renaming problem i.e. not being signed in
> >> the same form and renamed together.
> >>
> >> > I checked the staging repository and the production repository
> >> > and the signature is bad in both places and all the files
> >> > identical in both places. So it's being generated incorrectly, or
> >> > being corrupted during the deployment. If I sign it from the
> >> > command line the signature is fine. The key I generate from the
> >> > command line and what's in the repo aren't even vaguely similar.
> >> > I will take a look at the GPG plugin. That's my first guess.
> >> >
> >> >> --
> >> >> I could give you my word as a Spaniard.
> >> >> No good. I've known too many Spaniards.
> >> >> -- The Princess Bride
> >>
> >> -------------------------------------------------------------------
> >>--
> >>
> >> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> >> For additional commands, e-mail: dev-help@maven.apache.org
> >> >
> >> > Thanks,
> >> >
> >> > Jason
> >> >
> >> > ----------------------------------------------------------
> >> > Jason van Zyl
> >> > Founder and PMC Chair, Apache Maven
> >> > jason at sonatype dot com
> >> > ----------------------------------------------------------
> >>
> >> -------------------------------------------------------------------
> >>--
> >>
> >> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> > For additional commands, e-mail: dev-help@maven.apache.org
> >>
> >> Thanks,
> >>
> >> Jason
> >>
> >> ----------------------------------------------------------
> >> Jason van Zyl
> >> Founder and PMC Chair, Apache Maven
> >> jason at sonatype dot com
> >> ----------------------------------------------------------
> >>
> >>
> >>
> >>
> >> -------------------------------------------------------------------
> >>-- To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: dev-help@maven.apache.org
> >
> > --
> > ..........................................................
> > Arnaud HERITIER
> > ..........................................................
> > OCTO Technology - aheritier@octo.com
> > www.octo.com | blog.octo.com
> > ..........................................................
> > ASF - aheritier@apache.org
> > www.apache.org | maven.apache.org
> > ...........................................................
> >
> > --------------------------------------------------------------------
> >- To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder and PMC Chair, Apache Maven
> jason at sonatype dot com
> ----------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
--
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727 C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven 2.0.6 release badly signed or changed
Posted by Jason van Zyl <ja...@maven.org>.
On 26 Jun 07, at 3:09 PM 26 Jun 07, Arnaud HERITIER wrote:
> I don't think that it could be problem in the gpg plugin. I
> copied/adapted its code in the artifact plugin for m1 and it seems to
> work fine (but we don't have to move artifacts between repos)
>
I'm trying some installs and deploys, and I don't think it's
affecting anything that isn't a POM. I'm going on the hunch there is
a rename problem somewhere along the way. I'll keep hunting.
> Arnaud
>
> On 26/06/07, Jason van Zyl <ja...@maven.org> wrote:
>>
>> On 26 Jun 07, at 2:23 PM 26 Jun 07, Jason van Zyl wrote:
>>
>> >
>> > On 26 Jun 07, at 1:27 PM 26 Jun 07, Carlos Sanchez wrote:
>> >
>> >> The checksums and signature don't match the pom
>> >>
>> >> http://jira.codehaus.org/browse/MEV-530
>> >>
>> >
>> > It's not just that it's all of them.
>>
>> By this I mean POMs. The 2.0.7 Maven parent POM has a bad signature.
>> I haven't tried anything else but looking at the code it looks like
>> it might be a renaming problem i.e. not being signed in the same form
>> and renamed together.
>>
>> > I checked the staging repository and the production repository and
>> > the signature is bad in both places and all the files identical in
>> > both places. So it's being generated incorrectly, or being
>> > corrupted during the deployment. If I sign it from the command line
>> > the signature is fine. The key I generate from the command line and
>> > what's in the repo aren't even vaguely similar. I will take a look
>> > at the GPG plugin. That's my first guess.
>> >
>> >> --
>> >> I could give you my word as a Spaniard.
>> >> No good. I've known too many Spaniards.
>> >> -- The Princess Bride
>> >>
>> >>
>> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> >> For additional commands, e-mail: dev-help@maven.apache.org
>> >>
>> >>
>> >
>> > Thanks,
>> >
>> > Jason
>> >
>> > ----------------------------------------------------------
>> > Jason van Zyl
>> > Founder and PMC Chair, Apache Maven
>> > jason at sonatype dot com
>> > ----------------------------------------------------------
>> >
>> >
>> >
>> >
>> >
>> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> > For additional commands, e-mail: dev-help@maven.apache.org
>> >
>> >
>>
>> Thanks,
>>
>> Jason
>>
>> ----------------------------------------------------------
>> Jason van Zyl
>> Founder and PMC Chair, Apache Maven
>> jason at sonatype dot com
>> ----------------------------------------------------------
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>>
>
>
> --
> ..........................................................
> Arnaud HERITIER
> ..........................................................
> OCTO Technology - aheritier@octo.com
> www.octo.com | blog.octo.com
> ..........................................................
> ASF - aheritier@apache.org
> www.apache.org | maven.apache.org
> ...........................................................
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder and PMC Chair, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven 2.0.6 release badly signed or changed
Posted by Arnaud HERITIER <ah...@gmail.com>.
I don't think that it could be problem in the gpg plugin. I
copied/adapted its code in the artifact plugin for m1 and it seems to
work fine (but we don't have to move artifacts between repos)
Arnaud
On 26/06/07, Jason van Zyl <ja...@maven.org> wrote:
>
> On 26 Jun 07, at 2:23 PM 26 Jun 07, Jason van Zyl wrote:
>
> >
> > On 26 Jun 07, at 1:27 PM 26 Jun 07, Carlos Sanchez wrote:
> >
> >> The checksums and signature don't match the pom
> >>
> >> http://jira.codehaus.org/browse/MEV-530
> >>
> >
> > It's not just that it's all of them.
>
> By this I mean POMs. The 2.0.7 Maven parent POM has a bad signature.
> I haven't tried anything else but looking at the code it looks like
> it might be a renaming problem i.e. not being signed in the same form
> and renamed together.
>
> > I checked the staging repository and the production repository and
> > the signature is bad in both places and all the files identical in
> > both places. So it's being generated incorrectly, or being
> > corrupted during the deployment. If I sign it from the command line
> > the signature is fine. The key I generate from the command line and
> > what's in the repo aren't even vaguely similar. I will take a look
> > at the GPG plugin. That's my first guess.
> >
> >> --
> >> I could give you my word as a Spaniard.
> >> No good. I've known too many Spaniards.
> >> -- The Princess Bride
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: dev-help@maven.apache.org
> >>
> >>
> >
> > Thanks,
> >
> > Jason
> >
> > ----------------------------------------------------------
> > Jason van Zyl
> > Founder and PMC Chair, Apache Maven
> > jason at sonatype dot com
> > ----------------------------------------------------------
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
> >
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder and PMC Chair, Apache Maven
> jason at sonatype dot com
> ----------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
--
..........................................................
Arnaud HERITIER
..........................................................
OCTO Technology - aheritier@octo.com
www.octo.com | blog.octo.com
..........................................................
ASF - aheritier@apache.org
www.apache.org | maven.apache.org
...........................................................
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven 2.0.6 release badly signed or changed
Posted by Jason van Zyl <ja...@maven.org>.
On 26 Jun 07, at 2:23 PM 26 Jun 07, Jason van Zyl wrote:
>
> On 26 Jun 07, at 1:27 PM 26 Jun 07, Carlos Sanchez wrote:
>
>> The checksums and signature don't match the pom
>>
>> http://jira.codehaus.org/browse/MEV-530
>>
>
> It's not just that it's all of them.
By this I mean POMs. The 2.0.7 Maven parent POM has a bad signature.
I haven't tried anything else but looking at the code it looks like
it might be a renaming problem i.e. not being signed in the same form
and renamed together.
> I checked the staging repository and the production repository and
> the signature is bad in both places and all the files identical in
> both places. So it's being generated incorrectly, or being
> corrupted during the deployment. If I sign it from the command line
> the signature is fine. The key I generate from the command line and
> what's in the repo aren't even vaguely similar. I will take a look
> at the GPG plugin. That's my first guess.
>
>> --
>> I could give you my word as a Spaniard.
>> No good. I've known too many Spaniards.
>> -- The Princess Bride
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>>
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder and PMC Chair, Apache Maven
> jason at sonatype dot com
> ----------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder and PMC Chair, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven 2.0.6 release badly signed or changed
Posted by Jason van Zyl <ja...@maven.org>.
On 26 Jun 07, at 1:27 PM 26 Jun 07, Carlos Sanchez wrote:
> The checksums and signature don't match the pom
>
> http://jira.codehaus.org/browse/MEV-530
>
It's not just that it's all of them. I checked the staging repository
and the production repository and the signature is bad in both places
and all the files identical in both places. So it's being generated
incorrectly, or being corrupted during the deployment. If I sign it
from the command line the signature is fine. The key I generate from
the command line and what's in the repo aren't even vaguely similar.
I will take a look at the GPG plugin. That's my first guess.
> --
> I could give you my word as a Spaniard.
> No good. I've known too many Spaniards.
> -- The Princess Bride
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder and PMC Chair, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org