jcommander-2.0.0-RC1.jar; invalid manifest format

cbeust / jcommander

Command line parsing framework for Java

Apache License 2.0

1.97k stars 334 forks source link

jcommander-2.0.0-RC1.jar; invalid manifest format #561

Closed sysmat closed 7 months ago

sysmat commented 1 year ago

<dependency>
            <groupId>com.beust</groupId>
            <artifactId>jcommander</artifactId>
            <version>2.0.0-RC1</version>
        </dependency>

java 8

mkarg commented 1 year ago

Unfortunately I do not understand your bug report. Can you please explain what you did, what you expected, and what happened instead? Thanks.

BTW, there is no 2.2.0-RC1 from JCommander.

yuanqi99 commented 1 year ago

不幸的是我不明白你的错误报告做了。你能解释一下你什么、你期望什么以及发生了什么吗？谢谢。

顺便说一句，JCommander没有2.2.0-RC1。

Don't know if it is, when using Maven to package into jars, use the cmd window to run "java -jar xxx.jar --help"

jcomd.jar; invalid manifest format jcomd.jar中没有主清单属性

mkarg commented 1 year ago

I am very sorry @yuanqi99, but I still do not understand what you are actually doing. We (Cedric and me) did not publish a release called 2.2.0-RC1 neither uploaded a file named jcomd.jar. So where is that jcomd.jar downloaded from?

mkarg commented 1 year ago

@sysmat Can you please chime in, as you wrote the initial report? Thanks.

daveloyall commented 12 months ago

This is the closest thing I found. https://mvnrepository.com/artifact/com.beust/jcommander/2.0.0-RC1

Does this artifact belong to this project? Note 2.2 vs 2.0...

mkarg commented 12 months ago

That page says this artifact exists only on Spring-specific repositories. We do not upload there. We officially upload only to Maven Central. Please do not ask questions here for stuff not produced here. Please always use official builds from Maven Central only. Thanks.

daveloyall commented 12 months ago

Hi mkarg, I'm new to this conversation and I'm only helping. The question I asked was "was that artifact produced here?". Thank you for the response. I understand now that the artifact on spring.io is NOT official..

It is worth noting that the artifact is tagged with Cedric's first and last name. Speculation: some third party may have attempted spread malware by "squatting" on the groupId, etc... I won't be investigating that myself. The Spring project might be interested? They have a "report a problem" form: https://github.com/spring-projects/security-advisories/security/advisories/new

Users who downloaded the artifact in the past might want to take some action, especially if they subsequently released software which bundled that artifact... (I say "might" because this is just speculation.)

mkarg commented 11 months ago

@sysmat Does that answer your question?

mkarg commented 7 months ago

@sysmat As you were not responding, I assume that your answer was resolved. Hence I am closing this issue.