www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Steitz <p...@steitz.com>
Subject Re: How to get rid of bad sig that has been replicated
Date Fri, 19 Jun 2009 00:34:23 GMT
Carlos Sanchez wrote:
> is this the one to be deleted ?
> http://repo1.maven.org/maven2/commons-pool/commons-pool/1.2/commons-pool-1.2-sources.jar.asc
>
>   
Yes.
> On Thu, Jun 18, 2009 at 5:14 PM, Phil Steitz<phil@steitz.com> wrote:
>   
>> Carlos Sanchez wrote:
>>     
>>> the source has propagated to the users already. The signature is not
>>> downloaded by maven so it's better to change the later.
>>>
>>> Maybe you can compare the contents of the old jar and confidently sign it?
>>>
>>>       
>> OK.  I just deleted the 1.2 files from people.  I will download the
>> published jar, inspect it, sign it and put the good sig on people to
>> replicate.  Thanks!
>>     
>>> On Thu, Jun 18, 2009 at 4:58 PM, Phil Steitz<phil@steitz.com> wrote:
>>>
>>>       
>>>> Carlos Sanchez wrote:
>>>>
>>>>         
>>>>> what's the sig file that needs to be deleted?
>>>>> delete it from people.apache and then I'll do the same from central
>>>>>
>>>>>
>>>>>           
>>>> Could we possibly nuke the "old" source jar instead?  That way we end up
>>>> with a signed jar on central.  The jar in question is
>>>> commons-pool-1.2-sources.jar and we would have to delete the .md5 and
>>>> .sha1
>>>> in central too if we go this route..
>>>>
>>>> If you don't like that idea, I will delete from people.
>>>>
>>>> Thanks, Carlos, and sorry for the screw-up.
>>>>
>>>> Phil
>>>>
>>>>         
>>>>> On Thu, Jun 18, 2009 at 4:30 PM, Phil Steitz<phil@steitz.com> wrote:
>>>>>
>>>>>
>>>>>           
>>>>>> Earlier this week I put signed source jars for commons pool 1.1-1.4
in
>>>>>> the
>>>>>> m2-ibiblio-rsynch repo.  I did not notice that a source jar already
>>>>>> existed
>>>>>> for version 1.2 in maven central.  That jar did not have a sig. 
What
>>>>>> appears to have happened is that the new source jar did not overwrite
>>>>>> the
>>>>>> old one in repo1, but the new sig file did get replicated.  The result
>>>>>> is
>>>>>> that the sig does not match the jar.   How can we fix this?
>>>>>> Phil
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>         
>>     


Mime
View raw message