You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by "Richard Eckart de Castilho (Jira)" <de...@uima.apache.org> on 2022/05/13 08:31:00 UTC

[jira] [Updated] (UIMA-6453) Invalid SHA512 generated for Maven artifacts

     [ https://issues.apache.org/jira/browse/UIMA-6453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Eckart de Castilho updated UIMA-6453:
---------------------------------------------
    Description: 
The SHA512 signature files we generate for the Maven artifacts overwrite each other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:

```
% cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f  uimafit-maven-plugin-3.3.0-javadoc.jar
```

Looking at Maven Central, I can see such bad signatures in multiple releases:

*UIMAJ*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD (latest version)
 
*uimaFIT*
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD (latest version)
 
*RUTA*
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD (latest version)

*UIMA-AS*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last release seems to have been before the SHA512 requirement

*DUCC*
* https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ - looks ok (latest version)

  was:
The SHA512 signature files we generate for the Maven artifacts overwrite each other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:

```
% cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f  uimafit-maven-plugin-3.3.0-javadoc.jar
```

Looking at Maven Central, I can see such bad signatures in multiple releases:

*UIMAJ*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD (latest version)
 
*uimaFIT*
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD (latest version)
 
*RUTA*
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD (latest version

*UIMA-AS*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last release seems to have been before the SHA512 requiremen

*DUCC*
* https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ - looks ok (latest version)


> Invalid SHA512 generated for Maven artifacts
> --------------------------------------------
>
>                 Key: UIMA-6453
>                 URL: https://issues.apache.org/jira/browse/UIMA-6453
>             Project: UIMA
>          Issue Type: Bug
>          Components: Build, Packaging and Test
>            Reporter: Richard Eckart de Castilho
>            Assignee: Richard Eckart de Castilho
>            Priority: Major
>
> The SHA512 signature files we generate for the Maven artifacts overwrite each other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:
> ```
> % cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
> 4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f  uimafit-maven-plugin-3.3.0-javadoc.jar
> ```
> Looking at Maven Central, I can see such bad signatures in multiple releases:
> *UIMAJ*
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD (latest version)
>  
> *uimaFIT*
> * https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD (latest version)
>  
> *RUTA*
> * https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD (latest version)
> *UIMA-AS*
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last release seems to have been before the SHA512 requirement
> *DUCC*
> * https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ - looks ok (latest version)



--
This message was sent by Atlassian Jira
(v8.20.7#820007)