broken checksums in maven artefacts for rc4

swlnet / google-collections

Automatically exported from code.google.com/p/google-collections

Apache License 2.0

0 stars 0 forks source link

broken checksums in maven artefacts for rc4 #296

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

apparently the checksums are broken:

$ curl 
http://repo2.maven.org/maven2/com/google/collections/google-collections/1.0-
rc4/google-collections-1.0-rc4.jar | sha1sum 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  624k  100  624k    0     0  39923      0  0:00:16  0:00:16 --:--:-- 89659
e01e7343ab0592566ec76ad82f8546c48e28315c  -
$ curl 
http://repo2.maven.org/maven2/com/google/collections/google-collections/1.0-
rc4/google-collections-1.0-rc4.jar.sha1
c703ce8ae10cbb6256245c287dbb70920ad9f770

It wasn't deployed using maven 2.2 was it? 2.2 generates incorrect checksums…

Original issue reported on code.google.com by jed.wesl...@gmail.com on 13 Nov 2009 at 12:51

GoogleCodeExporter commented 9 years ago

Yes, it was generated using maven 2.2. I assumed it was safe to use the latest
version of Maven.

How serious is this? Should I build and deploy a new rc4 with a Maven 2.1? 
Should I
give it a different version, like 1.0-rc4b?

Original comment by jared.l....@gmail.com on 13 Nov 2009 at 1:41

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

Hi Jared,

The problem is caused when deploying to a repository that requires http
authentication. A change was made in 2.2.x to switch from j.u.httpclient to
org.apache.httpclient (from memory) which doesnt' submit authentication 
information
unless it receives a 401. This causes the output stream to be transmitted twice,
which produces the wrong checksum on the checksumming wrapped of the output 
stream.

The most recent issue for this is http://jira.codehaus.org/browse/MNG-4301

You can safely fix the checksum in your repository. I've attached a script to 
fix the
checksums

Original comment by daveche...@gmail.com on 13 Nov 2009 at 2:25

Attachments:

update-maven-checksums.sh

GoogleCodeExporter commented 9 years ago

Hi Jared,

What is the resolution here, are you going to fix the checksums in your repo, 
or wait for rc-5 ?

Cheers

Dave

Original comment by daveche...@gmail.com on 18 Nov 2009 at 6:51

GoogleCodeExporter commented 9 years ago

Hi Jared,

Is there any update on a resolution ?

Cheers

Dave

Original comment by daveche...@gmail.com on 3 Dec 2009 at 6:07

GoogleCodeExporter commented 9 years ago

Jared, this makes the library unusable from maven as it flags the library as 
corrupted when it downloads it (as do 
various proxies). We can get around this internally as we can deploy the 
correct checksums, but we cannot use it 
as an external dependency as our users will all get failing builds.

We have rolled back rc4 support until this issue is fixed.

Original comment by jed.wesl...@gmail.com on 4 Dec 2009 at 12:45

GoogleCodeExporter commented 9 years ago

We just released rc5, with a Maven package generated by Maven 2.0.10.

There's no longer a reason to fix the rc4 checksum.

Original comment by jared.l....@gmail.com on 11 Dec 2009 at 9:13

Changed state: WontFix