From dev-return-15518-archive-asf-public=cust-asf.ponee.io@jmeter.apache.org Wed Jan 27 19:50:04 2021 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 2CF8F180634 for ; Wed, 27 Jan 2021 20:50:04 +0100 (CET) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id 5C2DE439D5 for ; Wed, 27 Jan 2021 19:50:03 +0000 (UTC) Received: (qmail 77936 invoked by uid 500); 27 Jan 2021 19:50:02 -0000 Mailing-List: contact dev-help@jmeter.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jmeter.apache.org Delivered-To: mailing list dev@jmeter.apache.org Received: (qmail 77921 invoked by uid 99); 27 Jan 2021 19:50:02 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jan 2021 19:50:02 +0000 From: =?utf-8?q?GitBox?= To: dev@jmeter.apache.org Subject: =?utf-8?q?=5BGitHub=5D_=5Bjmeter=5D_vlsi_commented_on_pull_request_=23641=3A?= =?utf-8?q?_update_xercesImpl_to_2=2E12=2E1_=28from_2=2E12=2E0=29?= Message-ID: <161177700269.15632.10722957901386594709.asfpy@gitbox.apache.org> Date: Wed, 27 Jan 2021 19:50:02 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit References: In-Reply-To: vlsi commented on pull request #641: URL: https://github.com/apache/jmeter/pull/641#issuecomment-768535255 Ah, the library was published by @apupier somehow manually (see https://issues.apache.org/jira/browse/XERCESJ-1724) It is sad Xerces PMC does not publish jars to repository.apache.org :-/ On the other hand, the file at Central is the same as the one in the official release: ``` $ openssl dgst -sha512 Xerces-J-bin.2.12.1.zip SHA512(Xerces-J-bin.2.12.1.zip)= 318222b084e2882b16d230a70d0811882d2e46b0e63e8262098e952d25c9caebf32b40c0d0a1ed68a787f6dd017b5a4fa805c00889429115462dfb2e268a8b28 # jar from the official release $ openssl dgst -sha512 xercesImpl.jar SHA512(xercesImpl.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957 ``` ``` # jar from OSSRH $ openssl dgst -sha512 xercesImpl-2.12.1.jar SHA512(xercesImpl-2.12.1.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957 ``` So I agree we should use SHA512, and we should use SHA512 for all other xerces jars. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org