You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/07/23 19:05:00 UTC
[jira] [Commented] (MRESOLVER-246) m-deploy-p will create hashes for hashes
[ https://issues.apache.org/jira/browse/MRESOLVER-246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17570353#comment-17570353 ]
Michael Osipov commented on MRESOLVER-246:
------------------------------------------
I believe that this is solved by MRESOLVER-241.
> m-deploy-p will create hashes for hashes
> ----------------------------------------
>
> Key: MRESOLVER-246
> URL: https://issues.apache.org/jira/browse/MRESOLVER-246
> Project: Maven Resolver
> Issue Type: Bug
> Reporter: Benjamin Marwell
> Assignee: Tamás Cservenák
> Priority: Major
> Fix For: 1.8.2
>
>
> Hi everyone,
> recent ASF parent pom will create hashes for source-release-zip files using the checksum-maven-plugin.
> However, the SHIRO project decided to hash ALL artifacts:
> {code:xml}
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-gpg-plugin</artifactId>
> <configuration>
> <excludes>
> <!-- default config -->
> <exclude>**/*.md5</exclude>
> <exclude>**/*.sha1</exclude>
> <exclude>**/*.sha256</exclude>
> <exclude>**/*.sha512</exclude>
> <exclude> **/*.asc</exclude>
> <!-- additional hashes -->
> <exclude>**/*.sha3512</exclude>
> </excludes>
> </configuration>
> </plugin>
> <plugin>
> <groupId>net.nicoulaj.maven.plugins</groupId>
> <artifactId>checksum-maven-plugin</artifactId>
> <version>1.11</version>
> <executions>
> <execution>
> <id>source-release-checksum</id>
> <phase>none</phase>
> </execution>
> <execution>
> <id>main-artifact-checksum</id>
> <phase>verify</phase>
> <goals>
> <goal>artifacts</goal>
> </goals>
> </execution>
> </executions>
> <configuration>
> <algorithms>
> <algorithm>SHA-256</algorithm>
> <algorithm>SHA-512</algorithm>
> <algorithm>SHA3-512</algorithm>
> </algorithms>
> <csvSummary>false</csvSummary>
> <!--
> attach checksums as well to upload to Maven Staging Repo,
> as this eases uploading from stage to dist and doesn't do harm in Maven Central
> -->
> <attachChecksums>true</attachChecksums>
> </configuration>
> </plugin>
> {code}
> Now as you can see, gpg plugin had to be extended, but we also create *.sha3512 files. Those and all other hashes are being hashed by the deploy plugin, though:
> {code}
> $ ls -1F ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/*sources*
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.asc
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.md5
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha1
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256.md5
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256.sha1
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512.md5
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512.sha1
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512.md5
> ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512.sha1
> {code}
> Notice the *.sha512.md1 and *.sha512.sha1 files.
> Currently there is no exclusion possible.
> Therefore:
> * Let's add an exclusion parameter for hashing, similar to gpg's one.
> * set a sane default (to be discussed).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)