[Bug 461669] would be nice if we could use 'validate' when we make composites
| Bugzilla Link | 461669 |
| Status | NEW |
| Importance | P3 normal |
| Reported | Mar 08, 2015 19:56 EDT |
| Modified | Apr 04, 2021 13:36 EDT |
| Reporter | David Williams |
Description
Or, I could have titled this "what is wrong with
org.pushingpixels.trident_1.2.0.xxxxxxxxx"
This first came to my attention, because I ran the b3 aggregator (from home network, not build.eclipse.org) with mirrors enabled, and, some p2 options "turned on", so I could see what was coming from mirrors, and how often, etc.
[This "how to" is described in https://wiki.eclipse.org/Equinox/p2/p2.mirrorsURL]
The actually "aggregation job" failed, because, it said "could not mirror all artifacts". Looking for that, it was
org.pushingpixels.trident,1.2.0.v20110609-1700 from repository http://download.eclipse.org/xwt/release-1.1.0
So, ok, XWT's fault, right?
Well, maybe, at least partially, but the reason was
MD5 hash is not as expected. Expected: 4420d4b4baa516151255059a13ae3805 and found 882d814bd30e0078389b1e654ad15058
Hmm, interesting ... I assumed this was a case where "the same version/qualifier" of an artifact had "different content". So, started looking for that, on our own "download.eclipse.org" servers. The results were not pleasing, at all.
First, naturally, looked in Orbit:
$ find . -name "org.pushingpixels.trident_1.2.0*.jar" -exec md5sum '{}' ; | sort
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/I20150127213331/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/I20150202203538/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/R20130517111416/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/R20130827064939/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/R20140114142710/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/R20140525021250/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/R20150124073747/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/S20140917154621/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/S20141023165154/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/S20141129202728/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
6737387e90dc3fb44ddcb0f25f094ff7 ./drops/S20150202203538/repository/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
Well, all consistent there (but, note, the qualifier is from 2013, whereas original "error case" had a qualifier from 2011. So ... I looked further.
Luna:
$ find . -name "org.pushingpixels.trident_1.2.0*.jar" -exec md5sum '{}' ; | sort
120f1894cea2253add9e85425cca8f2d ./201406250900/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
55a302e38f44b3094b0d6224cc6cbbf8 ./201406250900/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
55a302e38f44b3094b0d6224cc6cbbf8 ./201409261001/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
55a302e38f44b3094b0d6224cc6cbbf8 ./201501121000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
55a302e38f44b3094b0d6224cc6cbbf8 ./201502271000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
882d814bd30e0078389b1e654ad15058 ./201409261001/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
882d814bd30e0078389b1e654ad15058 ./201501121000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
882d814bd30e0078389b1e654ad15058 ./201502271000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
Not consistent, doesn't match "Orbit". At least some match the "found" value in error message.
Mars (so far):
$ find . -name "org.pushingpixels.trident_1.2.0*.jar" -exec md5sum '{}' ; | sort
3c9c7383c6d2b781977474a2402bcf5e ./201412191000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
3c9c7383c6d2b781977474a2402bcf5e ./201502061000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
4420d4b4baa516151255059a13ae3805 ./201412191000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
4420d4b4baa516151255059a13ae3805 ./201502061000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
55a302e38f44b3094b0d6224cc6cbbf8 ./201408221000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
55a302e38f44b3094b0d6224cc6cbbf8 ./201410031000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
882d814bd30e0078389b1e654ad15058 ./201408221000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
882d814bd30e0078389b1e654ad15058 ./201410031000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
882d814bd30e0078389b1e654ad15058 ./201411141000/plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
928b774782a9fcf4ddfde7acc0f6ae86 ./201411141000/plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
Not consistent, doesn't match "Orbit". At least some match the "found" value in error message AND some match "expected" value in error message. These are the two groups of v20110609-1700, in list. So, this is ?probably? a case where "same version/qualifier" does not have "same content".
And, finally "staging":
$ find . -name "org.pushingpixels.trident_1.2.0*.jar" -exec md5sum '{}' ; | sort
3c9c7383c6d2b781977474a2402bcf5e ./plugins/org.pushingpixels.trident_1.2.0.v201305152020.jar
4420d4b4baa516151255059a13ae3805 ./plugins/org.pushingpixels.trident_1.2.0.v20110609-1700.jar
Not consistent, doesn't match "Orbit". At least one matches "expected" value in error message.
Now, as far as I know, the only difference is something trivial, such as exact date signed, or something?
But raises a number of questions:
Why isn't the Orbit version being used?
Why does the Orbit version (that is, version 1.2.0.v201305152020) vary so widely in other repos? (If I had to guess, I'd guess people are "re-signing" it?
I'm not sure how to combat this problem?
Do we "fail the build" if the md5sum differs from what is "already in another "released" repo"?
Not to mention, how do we correct the "problem that exists in the wild"?
Off hand, Moving forward, I'd suggest everyone specify a "required" version that includes the qualifier. and, at least start with the 2013 version, make sure you don't re-sign it, and that would at least help "in the future".
But, not sure we can fix "what exists".
(Unless someone comes up with a Nobel Prize winning idea? :)