Closed macfarla closed 3 weeks ago
macfarla
commented
1 month ago for reference - this is when the dependencies were updated to 0.8.4 https://github.com/hyperledger/besu/pull/7053/files#diff-f99e770fad89ddc92545ae5716f24cdf483f0a74af024552fadfb42425a7e484
chichi13
commented
1 month ago Same problem here!
ethereum@ethereum-holesky-02:~/besu$ ./gradlew installDist
> Configure project :
Generating project version as supplied is version not semver: unspecified
FAILURE: Build failed with an exception.
* Where:
Build file '/home/ethereum/besu/ethereum/referencetests/build.gradle' line: 74
* What went wrong:
Could not determine the dependencies of task ':installDist'.
> Could not resolve all dependencies for configuration ':runtimeClasspath'.
> Could not create task ':ethereum:referencetests:executionSpecTests'.
> Dependency verification failed for configuration ':ethereum:referencetests:tarConfig'
10 artifacts failed verification:
- arithmetic-0.8.4.jar (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
- arithmetic-0.8.4.module (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
- blake2bf-0.8.4.jar (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
- blake2bf-0.8.4.module (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
- bls12-381-0.8.4.jar (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
- bls12-381-0.8.4.module (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
- secp256k1-0.8.4.jar (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
- secp256k1-0.8.4.module (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
- secp256r1-0.8.4.jar (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
- secp256r1-0.8.4.module (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
This can indicate that a dependency has been compromised. Please carefully verify the checksums.
Open this report for more details: file:///home/ethereum/besu/build/reports/dependency-verification/at-1717492364772/dependency-verification-report.html
* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.7/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD FAILED in 1sJava 21 used here
holiman
commented
1 month ago Affecting the goevmlab docker build too
#30 [java-builder 4/5] RUN cd besu && ./gradlew --parallel ethereum:evmtool:installDist
#30 0.347 Downloading https://services.gradle.org/distributions/gradle-8.7-bin.zip
#30 1.925 ............10%.............20%.............30%.............40%............50%.............60%.............70%.............80%.............90%............100%
#30 9.157 Starting a Gradle Daemon (subsequent builds will be faster)
#30 46.26
#30 46.27 > Configure project :
#30 46.27 Generating project version as supplied is version not semver: unspecified
#30 122.8
#30 122.8 FAILURE: Build failed with an exception.
#30 122.8
#30 122.8 * Where:
#30 122.8 Build file '/besu/ethereum/referencetests/build.gradle' line: 74
#30 122.8
#30 122.8 * What went wrong:
#30 122.8 Could not determine the dependencies of task ':ethereum:evmtool:installDist'.
#30 122.8 > Could not resolve all dependencies for configuration ':ethereum:evmtool:runtimeClasspath'.
#30 122.8 > Could not create task ':ethereum:referencetests:executionSpecTests'.
#30 122.8 > Dependency verification failed for configuration ':ethereum:referencetests:tarConfig'
#30 122.8 10 artifacts failed verification:
#30 122.8 - arithmetic-0.8.4.jar (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
#30 122.8 - arithmetic-0.8.4.module (org.hyperledger.besu:arithmetic:0.8.4) from repository maven
#30 122.8 - blake2bf-0.8.4.jar (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
#30 122.8 - blake2bf-0.8.4.module (org.hyperledger.besu:blake2bf:0.8.4) from repository maven
#30 122.8 - bls12-381-0.8.4.jar (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
#30 122.8 - bls12-381-0.8.4.module (org.hyperledger.besu:bls12-381:0.8.4) from repository maven
#30 122.8 - secp256k1-0.8.4.jar (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
#30 122.8 - secp256k1-0.8.4.module (org.hyperledger.besu:secp256k1:0.8.4) from repository maven
#30 122.8 - secp256r1-0.8.4.jar (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
#30 122.8 - secp256r1-0.8.4.module (org.hyperledger.besu:secp256r1:0.8.4) from repository maven
#30 122.8 This can indicate that a dependency has been compromised. Please carefully verify the checksums.
eenagy
commented
1 month ago Same issue.
macfarla
commented
1 month ago 
matthew1001
commented
1 month ago I think there's an argument for the 0.8.4 artifacts being re-published at the correct version. We're unable to build 24.5.2 and aren't ready to roll forward.
eenagy
commented
1 month ago I think there's an argument for the
0.8.4artifacts being re-published at the correct version. We're unable to build24.5.2and aren't ready to roll forward.
I'm having the same issue, that I can't build from the release tarball anymore. It would be good to update: https://github.com/hyperledger/besu/releases/tag/24.5.2 to reflect the changes.
matthew1001
commented
1 month ago I'm going to re-open this issue for now as I don't think rolling Besu forward is the only solution that's needed. If the 0.8.4 artifacts have now been changed to be incorrect then they really ought to be reverted to the version they should be at
macfarla
commented
4 weeks ago working on this.
Update - right now the workflow for Pull Request, it actually checkout the branch and it merge to the base branch(main). So we cannot republish on pull request trigger. We could publish on a push in release- branch. However also need to check with Hyperledger why self-hosted runner does not pick up the job when it is from a release- branch.
cdivitotawela
commented
3 weeks ago Release https://github.com/hyperledger/besu/releases/tag/24.5.4 has been released with the checksum fixes.
this is blocked right now because DCO check is not responding
it seems that most recent commit to besu-native https://github.com/hyperledger/besu-native/pull/169 has updated the 0.8.4 release artifacts. hence right now the dependency check is failing in GHA
I think the problem has occurred, because gradle.properties still has 0.8.4 version - was not updated to 0.8.5-SNAPSHOT after this release https://github.com/hyperledger/besu-native/commit/74cf9955d79d29a4d7aa2efcc727c9ea63c45480 LFR 0.8.5 release for besu-native https://github.com/hyperledger/besu-native/pull/171 then LFR prep 0.8.6 release for besu-native https://github.com/hyperledger/besu-native/pull/172 and then we will need to update dependencies in besu to 0.8.5 versions of native libs looks like DCO bot is non-responsive so this is blocked. If this is resolved in the next few hrs, would be great if someone else could pick this up - next step is to update dependencies for the native libs in besu to 0.8.5 version