SHA-SUM is wrong and files SHAs differ depending on Mirror
Summary
SHA-512 SUM does not match file. Further investigation reveals SHA-SUM from Netherlands-LiteServer differs from other download mirrors.
Steps to reproduce
Browse to download page
https://www.eclipse.org/downloads/download.php?file=/ee4j/jakartaee-tck/jakartaee11/staged/eftl/jakarta-websocket-tck-2.2.0.zip
(I am offered the Netherlands-LiteServer mirror)
Note the SHA-512 SUM provided by the UI Button (3284c6f45193a5f5e34b8bb9c65e222b6a35dd66a9c141466c0e35f36a7fb88ed9f7b498eb2688aa3d5be852a356bfc5165b9c49b5a17331ce99658cf2ad4d31
).
Download the TCK (from Netherlands LiteServer).
On my machine, the SHA-512 does not match the previously noted SHA-512.
(Computed SHA-512 -- 7de94c68296f194b35df57e1e7d9832943f29de8a6a24d5c8ab74a313c3ad815a335b3ba287d8c0aa88bd97839c4511b962ea3b003ca344161410a7c
)
Select an alternate mirror server (I picked Main Eclipse Downloads)
(Computed SHA-512 -- dd24dc092b20e55eda1e939227642d9d4bafc4462de16f647ff4771b08693db201f5bd490cc88956d0c82d31cafb5ce8d7ffdd4f0ec7221bb0d30bb5
)
(Note this matched neither the SHA-SUM provided by the UI button, nor the SHA-SUM of the Netherlands Server Lite.)
I checked the download from the Portugal and Netherlands, not lite and they matched the SHA-SUM of the Main Eclipse Download Site)
Linux Shell cmd also verifies that the files on Main Eclipse and Portugal mirrors match while the file provided by Netherlands ServerLite differs.
$ cmp jakarta-websocket-tck-2.2.0.zip jakarta-websocket-tck-2.2.0\( 2\).zip jakarta-websocket-tck-2.2.0.zip jakarta-websocket-tck-2.2.0(2).zip differ: byte 21461, line 83
I used 7-Zip to validate the TCK (Test function) and all seemed to test "OK". I have not attempted to try to examine the extracted content.
What is the current bug behavior?
SHA-512 must match the sum provided in the UI. The SHA for each download should be identical -- otherwise, it's not a very robust mirror.
What is the expected correct behavior?
All SHA-512 sums should be same and validate correctly to the file.
Relevant logs and/or screenshots
(Add a link to or paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)
Priority
-
Urgent -
High -
Medium -
Low
Severity
-
Blocker -
Major -
Normal -
Low
Impact
Jakarta EE Specification ballots are held-up since we cannot verify the SHA-SUMs. Actual TCK users may refuse to use these TCKs since they have no way of determining that they have not been altered (nor would they obtain the same SUM depending on which server was selected for them)