www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <steve.lough...@gmail.com>
Subject bad checksums in activemq-protobuf-1.1.pom
Date Fri, 10 Sep 2010 12:09:11 GMT
The pom file to go with  activemq-protobuf-1.1.pom has different
checksums from those alongside it.
http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom

http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/activemq/protobuf/activemq-protobuf/1.1/activemq-protobuf-1.1.pom.sha1
says 255bd0c7703022d85da7416f87802a11053de120

but shasum activemq-protobuf-1.1.pom
c92f02aa8a96139ff4274e8c80701bb8f4bd7c1e  activemq-protobuf-1.1.pom

Seems to me we should have a policy wrt invalid checksums. The
simplest is, going forwards,  don't allow artifacts that are
inconsistent, for security reasons. For stuff that is already up
there, after telling off the relevant teams and getting them to verify
the JAR/POM by hand against their release artifacts, maybe we should
rm or update the checksums,

Mime
View raw message