You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Scott Parkerson <sg...@snortasprocket.net> on 2010/12/02 15:21:02 UTC
Maven Central Repository & Bad Checksums
Once upon a time, I filed a JIRA at Codehaus: http://jira.codehaus.org/browse/MEV-641. Eleven months elapsed before someone finally fixed the checksum metadata to match the jar in the repository.
Yesterday, I filed another pair of issues: MEV-675 and MEV-676. I was wondering if I have to wait another 11 months before they are addressed.[1]
Who is handling these? Is there a labor shortage on handling these issues? Furthermore, it would seem that automating this process would be the answer, as it probably wouldn't be difficult to crawl the repository and check checksums and either (a) add them where they are missing or (b) fix them where they are there and are incorrect.
If there's a need, I'll volunteer to do just that.
--sgp
[1] Just kidding, naturally.
Re: Maven Central Repository & Bad Checksums
Posted by Brian Fox <br...@infinity.nu>.
We do a little bit of sleuthing when resolving these types of issues
to make sure the file hasn't been changed, which is why automatic
correction isn't implemented. We are working on process to ensure that
no new things come in this way. It can only happen today via the old
rsync mechanisms and those are deprecated and will be disabled soon
anyway.
On Thu, Dec 2, 2010 at 2:45 PM, Wayne Fay <wa...@gmail.com> wrote:
>> I don't think that checksums are for detecting compromised jars. Checksums
>> are for checking that a file was transferred correctly, regardless of it
>> being compromised or not. So, I also think that all checksums should be
>> corrected.
>
> But how does a bot know that the Jar was uploaded ok into Central? Its
> the same problem. The checksum should be generated by the original
> owner of the artifact and uploaded alongside it, and any deviations
> should be directed back to the owner to resolve.
>
> Wayne
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Maven Central Repository & Bad Checksums
Posted by Wayne Fay <wa...@gmail.com>.
> I don't think that checksums are for detecting compromised jars. Checksums
> are for checking that a file was transferred correctly, regardless of it
> being compromised or not. So, I also think that all checksums should be
> corrected.
But how does a bot know that the Jar was uploaded ok into Central? Its
the same problem. The checksum should be generated by the original
owner of the artifact and uploaded alongside it, and any deviations
should be directed back to the owner to resolve.
Wayne
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Maven Central Repository & Bad Checksums
Posted by Anders Hammar <an...@hammar.net>.
I don't think that checksums are for detecting compromised jars. Checksums
are for checking that a file was transferred correctly, regardless of it
being compromised or not. So, I also think that all checksums should be
corrected.
However, pgp signatures are for detecting compromised files.
/Anders
On Thu, Dec 2, 2010 at 17:58, Wayne Fay <wa...@gmail.com> wrote:
> > Furthermore, it would seem that automating this process would be the
> answer, as
> > it probably wouldn't be difficult to crawl the repository and check
> checksums and
> > either (a) add them where they are missing or (b) fix them where they are
> there
> > and are incorrect.
>
> I don't think you want to automate fixing them, only detecting the
> problems. Because if/when an honestly bad (or compromised/hacked) jar
> lands in Central, you want to know about it, and not just assume it is
> correct and use that MD5, right?
>
> Wayne
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
Re: Maven Central Repository & Bad Checksums
Posted by Wayne Fay <wa...@gmail.com>.
> Furthermore, it would seem that automating this process would be the answer, as
> it probably wouldn't be difficult to crawl the repository and check checksums and
> either (a) add them where they are missing or (b) fix them where they are there
> and are incorrect.
I don't think you want to automate fixing them, only detecting the
problems. Because if/when an honestly bad (or compromised/hacked) jar
lands in Central, you want to know about it, and not just assume it is
correct and use that MD5, right?
Wayne
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Maven Central Repository & Bad Checksums
Posted by Scott Parkerson <sg...@snortasprocket.net>.
On Dec 2, 2010, at 10:02 AM, Anders Hammar wrote:
> You should file tickets for Maven Central at [1] instead.
>
> [1] https://issues.sonatype.org/browse/MVNCENTRAL
>
Sigh. This is what I get for not reading *closely* (and assuming that things were as they were 11 months ago). So Sonatype is in charge of housekeeping for Maven Central now?
I'll close my issues on the Codehaus JIRA and re-open them on Sonatype's JIRA, then.
Cheers,
--sgp
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Maven Central Repository & Bad Checksums
Posted by Anders Hammar <an...@hammar.net>.
You should file tickets for Maven Central at [1] instead.
/Anders
[1] https://issues.sonatype.org/browse/MVNCENTRAL
On Thu, Dec 2, 2010 at 15:21, Scott Parkerson <sg...@snortasprocket.net>wrote:
> Once upon a time, I filed a JIRA at Codehaus:
> http://jira.codehaus.org/browse/MEV-641. Eleven months elapsed before
> someone finally fixed the checksum metadata to match the jar in the
> repository.
>
> Yesterday, I filed another pair of issues: MEV-675 and MEV-676. I was
> wondering if I have to wait another 11 months before they are addressed.[1]
>
> Who is handling these? Is there a labor shortage on handling these issues?
> Furthermore, it would seem that automating this process would be the answer,
> as it probably wouldn't be difficult to crawl the repository and check
> checksums and either (a) add them where they are missing or (b) fix them
> where they are there and are incorrect.
>
> If there's a need, I'll volunteer to do just that.
>
> --sgp
>
> [1] Just kidding, naturally.
>
>