You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Jaroslav Tulach <ja...@gmail.com> on 2017/11/08 13:02:29 UTC
HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)
>
> Sorry, not sure what is happening, I tried to download:
>> https://search.maven.org/remotecontent?filepath=org/netbeans
>> /html/net.java.html.boot.script/1.5/net.java.html.boot.script-1.5.jar
>>
>> and it seems to have sha1sum:
>> 276009d3f0a27079a80d241c3183ec712305a42a
>>
>
> Indeed, if I download the above manually I can confirm it to have the
> expected sha1sum.
>
> The problem seems to be caused by my local maven repository already
> having these artifacts, and *those* have different sha1sum...
> Disabling my local maven repository 'fixed' this and the build succeeds.
> And ant tryme does start the platform now.
Hello Ate,
this is a result of your previous testing of HTML/Java 1.5. You have built
the artifacts and they got into your local Maven repository. Not sure what
is the best way out of this - I usually delete affected part of my
$HOME/.m2/repository/org/netbeans/html
-jt
Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)
Posted by Michael Nascimento <mi...@gmail.com>.
On Wed, Nov 8, 2017 at 1:02 PM, Ate Douma <at...@douma.nu> wrote:
> That is not the case. I *did* built the correct version locally.
Ooops, sorry for jumping to conclusions, Ate.
> No, And that is the cause of the issue here.
> Every built of a jar will produce a different sha, so you're assessment
> is correct.
> While not a blocking issue I agree the current check is not sustainable.
True then.
Regards,
Michael
Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha
(incubating)
Posted by Ate Douma <at...@douma.nu>.
On 2017-11-08 15:25, Bertrand Delacretaz wrote:
> On Wed, Nov 8, 2017 at 3:16 PM, Michael Nascimento <mi...@gmail.com> wrote:
>> ...Had he built the correct version,
>> everything would have worked out fine....
That is not the case. I *did* built the correct version locally.
>
> Can you build the same jar multiple times and get the same digest every time? >
> Some jars include build timestamps which breaks this, but maybe the
> NetBeans builds take care of that?
No, And that is the cause of the issue here.
Every built of a jar will produce a different sha, so you're assessment
is correct.
While not a blocking issue I agree the current check is not sustainable.
Ate
>
> -Bertrand
>
Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Wed, Nov 8, 2017 at 3:16 PM, Michael Nascimento <mi...@gmail.com> wrote:
> ...Had he built the correct version,
> everything would have worked out fine....
Can you build the same jar multiple times and get the same digest every time?
Some jars include build timestamps which breaks this, but maybe the
NetBeans builds take care of that?
-Bertrand
Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)
Posted by Michael Nascimento <mi...@gmail.com>.
On Wed, Nov 8, 2017 at 12:12 PM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> Does this means the platform build only works using binaries
> downloaded from search.maven.org, as opposed to binaries built
> locally?
No, he just had a messed up version deployed in his local Maven repo
and this was picked by the build. Had he built the correct version,
everything would have worked out fine.
Regards,
Michael
Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)
Posted by Jaroslav Tulach <ja...@gmail.com>.
2017-11-08 15:12 GMT+01:00 Bertrand Delacretaz <bd...@apache.org>:
> Hi,
>
> On Wed, Nov 8, 2017 at 2:02 PM, Jaroslav Tulach
> <ja...@gmail.com> wrote:
> > ...this is a result of your previous testing of HTML/Java 1.5. You have
> built
> > the artifacts and they got into your local Maven repository....
It is a Maven flaw that it produces different artifacts with every new
build. But almost any build system is flawed this way. Unless I am mistaken
only Debian invested enormous amount of effort to create reproducible
builds of its artifacts.
> Does this means the platform build only works using binaries
> downloaded from search.maven.org, as opposed to binaries built
> locally?
>
The platform indeed works with libraries built locally. Once you change the
platform code to properly reference the binaries built locally.
> If yes that's a problem IMO, developers should be able (and encouraged
> to) build everything themselves from sources.
>
Fine. But we also want stable and predictable build which will not suffer
from shaky network connections and/or man in middle attack. Right now I
prefer correctness of the build over developer's comfort.
>
> Nothing urgent but something to fix at some point, unless there's a
> workaround already.
>
The workaround is to change the binaries-list file to point to the locally
build JAR and to provide its correct checksum. That has worked acceptably
for last 17 years, so I think it will be fine for a while.
-jt
Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Wed, Nov 8, 2017 at 2:02 PM, Jaroslav Tulach
<ja...@gmail.com> wrote:
> ...this is a result of your previous testing of HTML/Java 1.5. You have built
> the artifacts and they got into your local Maven repository....
Does this means the platform build only works using binaries
downloaded from search.maven.org, as opposed to binaries built
locally?
If yes that's a problem IMO, developers should be able (and encouraged
to) build everything themselves from sources.
Nothing urgent but something to fix at some point, unless there's a
workaround already.
-Bertrand