netbeans-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio <anto...@vieiro.net>
Subject Re: [MODULE REVIEW] - o.eclipse.jgit - Questions
Date Wed, 11 Oct 2017 05:35:53 GMT


On 11/10/17 00:59, John McDonnell wrote:
>>> 2.
>>>
>>> There's 1 external dependency here:
>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar
>>>
>>> I'm not sure about the nosignature part, but I can find[1] this
>>> version which I guess is the same one, but when I change the
>>> binaries-list file to use
>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029
>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>
>>> I got an error as the hash was wrong and had to change it to be:
>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5
>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r
>>>
>>> Should I be viewing this as a potential question mark, or is it okay?
>>
>>
>> Enter the SHA-1 Checksum at the bottom of this page:
>>
>> http://search.maven.org/#advancedsearch
>>
>> And doublecheck that the version (name, etc.) is correct.
> 
> Nope, that hash didn't return anything from that search tool.

This is confusing, I know, so please let me try to explain myself again.

It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven 
central. This is so because ages ago the original jar binary file was 
uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D.

The idea is to look up the jar again in maven central and fetch a proper 
binary hash sum. The error suggests (47D59DF...).

What I meant when I said "doublecheck that the version is correct" is 
that we should now check this new checksum in the 
http://search.maven.org/#advancedsearch page. If we do so we get [1], 
which looks correct (same artifact name, same version) for this binary.

So now we can get rid of that NSA/KGB binary that was once placed there 
in the NetBeans repository (with that B580E... checksum), and replace it 
with one from Maven central (with that 47D59DF... checksum). This is 
safer, because NSA/KGB have new hacking techniques and do deliver now 
new official binaries from maven central. :-D

So, to summarize, we once had this line in the binaries-list file:

B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 
org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar

With a SHA-1 sum that is NOT in maven central, and we now have to 
replace it with

47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5 
org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r

With corresponds to the official maven binary, with the latest NSA/KGB 
patches applied.


[1] 
http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22

> 
>> If the name of the jar file is different from the original entry you'll have
>> to update nbproject/project.xml and nbproject/project.properties. In your
>> case the original file had a '_nosignature' thing there, which is missing in
>> the file downloaded from central.

The original binary was named

org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar

And the one from maven central is named differently:

org.eclipse.jgit-3.6.2.201501210735-r.jar

So we'll have to modify nbproject/project.properties and 
nbproject/project.xml to reflect this name change.

In project.properties we see

release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar

That should be changed to

release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar

(removing the _nosignature stuff)

and in project.xml

             <class-path-extension>
 
<runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
 
<binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin>
             </class-path-extension>

should now look like:


             <class-path-extension>
 
<runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path>
 
<binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin>
             </class-path-extension>

(removing the _nosignature suffix)

To verify that these changes are correct just run "ant test" in the 
module directory.


[2] 
http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/


> 
> No worries, thanks for the advice.  I might move this to one side and
> start another module tomorrow and come back to it.
> 

Ok. Let me know if you need help (but I'll be offline for a few hours 
from now).

Cheers,
Antonio



Mime
View raw message