commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gilles <gil...@harfang.homelinux.org>
Subject Re: [Math] Git question (Was: [VOTE][RC3] Release ...)
Date Wed, 24 Dec 2014 14:04:55 GMT
On Wed, 24 Dec 2014 09:31:46 +0100, Luc Maisonobe wrote:
> Le 24/12/2014 03:36, Gilles a écrit :
>> On Tue, 23 Dec 2014 14:02:40 +0100, luc wrote:
>>> This is a [VOTE] for releasing Apache Commons Math 3.4 from release
>>> candidate 3.
>>>
>>> Tag name:
>>>   MATH_3_4_RC3 (signature can be checked from git using 'git tag 
>>> -v')
>>>
>>> Tag URL:
>>>
>>>
>>> 
>>> <https://git-wip-us.apache.org/repos/asf?p=commons-math.git;a=commit;h=befd8ebd96b8ef5a06b59dccb22bd55064e31c34>
>>>
>>
>> Is there a way to check that the source code referred to above
>> was the one used to create the JAR of the ".class" files.
>> [Out of curiosity, not suspicion, of course...]
>
> Yes, you can look at the end of the META-INF/MANIFEST.MS file 
> embedded
> in the jar. The second-to-last entry is called Implementation-Build. 
> It
> is automatically created by maven-jgit-buildnumber-plugin and 
> contains
> the SHA1 identifier of the last commit used for the build. Here, is 
> is
> befd8ebd96b8ef5a06b59dccb22bd55064e31c34, so we can check it really
> corresponds to the expected status of the git repository.
>

Can this be considered "secure", i.e. can't this entry in the MANIFEST
file be modified to be the checksum of the repository but with the 
.class
files being substitued with those coming from another compilation?

Regards,
Gilles



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message