www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juven Xu <ju...@sonatype.com>
Subject Re: bad checksums in activemq-protobuf-1.1.pom
Date Fri, 10 Sep 2010 13:06:43 GMT
the incorrect checksums are from repository.apache.org, I just fixed them
[0] by running a nexus rebuild metadata task, correct sha1 files will be
synced to central [1] in 4 hours

note that ibiblio is only mirror of central, so we can't guarantee when the
correct data will be synced to it

nexus checksum staging rule was already enabled on repository.apache.org, so
we can make sure future apache releases won't have incorrect checksums


On Fri, Sep 10, 2010 at 8:09 PM, Steve Loughran <steve.loughran@gmail.com>wrote:

> The pom file to go with  activemq-protobuf-1.1.pom has different
> checksums from those alongside it.
> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom
> http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
> says 255bd0c7703022d85da7416f87802a11053de120
> but shasum activemq-protobuf-1.1.pom
> c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e  activemq-protobuf-1.1.pom
> Seems to me we should have a policy wrt invalid checksums. The
> simplest is, going forwards,  don't allow artifacts that are
> inconsistent, for security reasons. For stuff that is already up
> there, after telling off the relevant teams and getting them to verify
> the JAR/POM by hand against their release artifacts, maybe we should
> rm or update the checksums,

- juven

View raw message