foojayio / discoapi

The foojay discovery api (discoapi) is made to discover java packages (jre/jdk) from different distributions.
GNU General Public License v2.0
115 stars 14 forks source link

SAP Machine incorrect checksum_uri(s) for MSI #92

Open ajshastri opened 11 months ago

ajshastri commented 11 months ago

Hello,

It appears the foojay api has the missing a keyword in the checksum_uri(s) for SAP machine java(s) for MSI packages. This seems to happen for all available Java JDKs (11, 17, 21) (sap only produces x64)

For example: ID: 419e00467244666ae39d1d275eb6324a obtained from end point https://api.foojay.io/disco/v3.0/packages/jdks?version=11&distribution=sapmachine&architecture=amd64&archive_type=msi&operating_system=windows&latest=available

When I follow the result -> links -> pkg_info_uri, (https://api.foojay.io/disco/v3.0/ids/419e00467244666ae39d1d275eb6324a) I get

    "filename":"sapmachine-jdk-11.0.21_windows-x64_bin.msi",
    "direct_download_uri":"https://github.com/SAP/SapMachine/releases/download/sapmachine-11.0.21/sapmachine-jdk-11.0.21_windows-x64_bin.msi",
    "download_site_uri":"",
    "signature_uri":"",
    "checksum_uri":"https://github.com/SAP/SapMachine/releases/download/sapmachine-11.0.21/sapmachine-jdk-11.0.21_windows-x64_bin.sha256.txt",
    "checksum":"",
    "checksum_type":"sha256"

The checksum URI needs to be sapmachine-jdk-11.0.21_windows-x64_bin.msi.sha256.txt corresponding to the "MSI" version (please note the windows-x64_bin.msi.sha256.txt

This is the case for JDK 17 (e97160c971054d58a65d415a9a2597c8), JDK 21 (3c8d71fc140cbba916d5ad5260399f72), JRE 11 (7e0b21939f4a9b87005432989170da27), JRE 17 (e243f92a782c848c3f3beee48dbc6350), and JRE 21 (9166d93c3367543f89c62c27371a4a91).

Please let me know if that can be resolved.

HanSolo commented 11 months ago

thx for the heads up…will check asap 👍🏻

ajshastri commented 11 months ago

thx for the heads up…will check asap 👍🏻

Much appreciated!

HanSolo commented 11 months ago

Well it looks like SAP is creating these files as you can see for example here: https://github.com/SAP/SapMachine/releases/tag/sapmachine-23%2B3 which contains the following name: sapmachine-jre-23-ea.3_windows-x64_bin.sha256.txt The Disco API simply gets these names and stores them. The fact that you can download the files shows that the links work and coming as such from the original github releases page. Meaning to say I cannot change them because that's their name.

ajshastri commented 11 months ago

@HanSolo Sorry I don't follow.

sapmachine-jre-23-ea.3, might not be the best example because they are missing the MSI asset (which I am surprised about)

If we look at a non pre-release version such as https://github.com/SAP/SapMachine/releases/tag/sapmachine-21.0.1, there's 2 different windows assets - sapmachine-jdk-21.0.1_windows-x64_bin.msi and sapmachine-jdk-21.0.1_windows-x64_bin.zip which have their respective SHA256 txt files sapmachine-jdk-21.0.1_windows-x64_bin.msi.sha256.txt and sapmachine-jdk-21.0.1_windows-x64_bin.sha256.txt.

In the foojay api, wouldn't they be considered two different assets of archive_type MSI and zip, thus the different sha256.txt(s)?

Extending it to the sapmachine-jre-23-ea.3, with the absense of the MSI package, foojay would not have any MSI assets and hence no checksums and the zip file with it's corresponding txt?

Thank you for looking into this.

HanSolo commented 11 months ago

I understand your point but as I mentioned, disco only reads the links from github. We are not creating any checksums etc. but only provide data that we collect on the web.

ajshastri commented 10 months ago

Thanks @HanSolo.

One last question, the link to the MSI checksum is provided along with the asset from what I can tell, can the checksum uri be pointed to that? Once done, it should work for all LTS versions of SAP should they exist? Or is it something that would break the data fetch?

HanSolo commented 10 months ago

Well that would be a very specific case just for the SAP packages, I would like to keep it as simple as possible which is providing the link to the file. In principle it is the same as if you download the pkg and the checksum manually from the website.