Closed hboutemy closed 1 month ago
wendigo
commented
1 month ago It doesn't look malicious but this is super strange. A lots of projects depend on the -alpha OTEL packages (these are named alpha just to designate that the API can change in the future, not that this is non-production code). Basically every release is alpha at this stage: https://mvnrepository.com/artifact/io.opentelemetry.semconv/opentelemetry-semconv
wendigo
commented
1 month ago I know what the issue is:
https://mvnrepository.com/artifact/io.opentelemetry/opentelemetry-semconv/1.27.0-alpha
vs
https://mvnrepository.com/artifact/io.opentelemetry.semconv/opentelemetry-semconv/1.27.0-alpha
different GAV but it seems that provisio doesn't handle this case properly
wendigo
commented
1 month ago and here's more permanent fix in provisio: https://github.com/jvanzyl/provisio/pull/115
findepi
commented
1 month ago https://mvnrepository.com/artifact/io.opentelemetry/opentelemetry-semconv/1.27.0-alpha
vs
https://mvnrepository.com/artifact/io.opentelemetry.semconv/opentelemetry-semconv/1.27.0-alpha
different GAV but it seems that provisio doesn't handle this case properly
it's not only provisio. some other maven tools will also not work correctly when artifactId+version+classifier (ignoring group id) isn't unique. maybe we can fix this for provisio, as simply as including group id in the file names that go into the lib/ folder.
wendigo
commented
1 month ago I just did that with provisio PR linked above @findepi
see https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/trino/trino-root-455.diffoscope
I don't know where this opentelemetry-semconv-1.27.0-alpha.jar comes from, nor if the bytecode difference are malicious or just the result of a personal local rebuild and install but definitively suspect
thank you Reproducible Builds for detecting this type of suspect content