www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Sanchez <car...@apache.org>
Subject Re: How to get rid of bad sig that has been replicated
Date Fri, 19 Jun 2009 00:58:55 GMT
done

On Thu, Jun 18, 2009 at 5:34 PM, Phil Steitz<phil@steitz.com> wrote:
> Carlos Sanchez wrote:
>>
>> is this the one to be deleted ?
>>
>> http://repo1.maven.org/maven2/commons-pool/commons-pool/1.2/commons-pool-1.2-sources.jar.asc
>>
>>
>
> Yes.
>>
>> On Thu, Jun 18, 2009 at 5:14 PM, Phil Steitz<phil@steitz.com> wrote:
>>
>>>
>>> Carlos Sanchez wrote:
>>>
>>>>
>>>> the source has propagated to the users already. The signature is not
>>>> downloaded by maven so it's better to change the later.
>>>>
>>>> Maybe you can compare the contents of the old jar and confidently sign
>>>> it?
>>>>
>>>>
>>>
>>> OK.  I just deleted the 1.2 files from people.  I will download the
>>> published jar, inspect it, sign it and put the good sig on people to
>>> replicate.  Thanks!
>>>
>>>>
>>>> On Thu, Jun 18, 2009 at 4:58 PM, Phil Steitz<phil@steitz.com> wrote:
>>>>
>>>>
>>>>>
>>>>> Carlos Sanchez wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> what's the sig file that needs to be deleted?
>>>>>> delete it from people.apache and then I'll do the same from central
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Could we possibly nuke the "old" source jar instead?  That way we end
>>>>> up
>>>>> with a signed jar on central.  The jar in question is
>>>>> commons-pool-1.2-sources.jar and we would have to delete the .md5 and
>>>>> .sha1
>>>>> in central too if we go this route..
>>>>>
>>>>> If you don't like that idea, I will delete from people.
>>>>>
>>>>> Thanks, Carlos, and sorry for the screw-up.
>>>>>
>>>>> Phil
>>>>>
>>>>>
>>>>>>
>>>>>> On Thu, Jun 18, 2009 at 4:30 PM, Phil Steitz<phil@steitz.com>
wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Earlier this week I put signed source jars for commons pool 1.1-1.4
>>>>>>> in
>>>>>>> the
>>>>>>> m2-ibiblio-rsynch repo.  I did not notice that a source jar
already
>>>>>>> existed
>>>>>>> for version 1.2 in maven central.  That jar did not have a sig.
 What
>>>>>>> appears to have happened is that the new source jar did not overwrite
>>>>>>> the
>>>>>>> old one in repo1, but the new sig file did get replicated.  The
>>>>>>> result
>>>>>>> is
>>>>>>> that the sig does not match the jar.   How can we fix this?
>>>>>>> Phil
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>

Mime
View raw message