You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by "Richard Eckart de Castilho (Jira)" <de...@uima.apache.org> on 2022/05/13 08:31:00 UTC
[jira] [Updated] (UIMA-6453) Invalid SHA512 generated for Maven artifacts
[ https://issues.apache.org/jira/browse/UIMA-6453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Eckart de Castilho updated UIMA-6453:
---------------------------------------------
Description:
The SHA512 signature files we generate for the Maven artifacts overwrite each other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:
```
% cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f uimafit-maven-plugin-3.3.0-javadoc.jar
```
Looking at Maven Central, I can see such bad signatures in multiple releases:
*UIMAJ*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD (latest version)
*uimaFIT*
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD (latest version)
*RUTA*
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD (latest version)
*UIMA-AS*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last release seems to have been before the SHA512 requirement
*DUCC*
* https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ - looks ok (latest version)
was:
The SHA512 signature files we generate for the Maven artifacts overwrite each other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:
```
% cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f uimafit-maven-plugin-3.3.0-javadoc.jar
```
Looking at Maven Central, I can see such bad signatures in multiple releases:
*UIMAJ*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD (latest version)
*uimaFIT*
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD (latest version)
*RUTA*
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
* https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD (latest version
*UIMA-AS*
* https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last release seems to have been before the SHA512 requiremen
*DUCC*
* https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ - looks ok (latest version)
> Invalid SHA512 generated for Maven artifacts
> --------------------------------------------
>
> Key: UIMA-6453
> URL: https://issues.apache.org/jira/browse/UIMA-6453
> Project: UIMA
> Issue Type: Bug
> Components: Build, Packaging and Test
> Reporter: Richard Eckart de Castilho
> Assignee: Richard Eckart de Castilho
> Priority: Major
>
> The SHA512 signature files we generate for the Maven artifacts overwrite each other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:
> ```
> % cat org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
> 4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f uimafit-maven-plugin-3.3.0-javadoc.jar
> ```
> Looking at Maven Central, I can see such bad signatures in multiple releases:
> *UIMAJ*
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD (latest version)
>
> *uimaFIT*
> * https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD (latest version)
>
> *RUTA*
> * https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD (latest version)
> *UIMA-AS*
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last release seems to have been before the SHA512 requirement
> *DUCC*
> * https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ - looks ok (latest version)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)