Hi, I'm working with Ondrej on it. Is it possible to update it somehow on "https://download.eclipse.org/"; ?
Best regards, Oleksii Korniienko On Mon, Aug 28, 2023 at 1:28 PM Joakim Erdfelt via cross-project-issues-dev <cross-project-issues-dev@eclipse.org> wrote: > Since I'm the one that built Eclipse Jetty 10.0.15, let's see what's going > on ... > > First, the official release of 10.0.15 ... > > The official release does not live on a P2 repository anywhere on > download.eclipse.org > The official release exists as a maven (tycho) p2 artifact on maven > central. > The official release of the jetty-jndi 10.0.15 artifact has the following > verification ... > > md5: 785f479c6433717bee8e9bb94df56c11 > sha1: 7825525aae7c7e11e7cef57672e43e5e4d727856 > sha256: c01a1d2ea0ebac1565f4c8e92d1b5151daf14ac09502efd52f5536a59245cb16 > > -----BEGIN PGP SIGNATURE----- > > iQIzBAABCAAdFiEEWYm692IXuEPWa+VbLQ4fuP5LaLQFAmQ1mJ8ACgkQLQ4fuP5L > aLQYVQ/+ONbSADgGLnMxDSQ6A/tPo70citQMu4uNw6OE/eSb5kvya4cjRAxpbioD > vwcsDowHab2ydg4f+o9O+UnhKTUGxLFS+zjl42/WUlodgMFLZXf3mRJui19ful6P > pigeCdsasIBSgwu6ptq+ymKFLLwjH3P4jOip3pZkRujO9NsPDmtOX2biVjrK3VrW > 6PHDh4ruxU9I2ApSgFjlYhbiYy4twhQiaEIwF5j5x2UUJGNbinRbmHpLe1OYy3AJ > 70cpkd7jrRgwZ4r8TarKhUa2DiKncgm9lrDkLgoDrkQapGPxis5NSo0vXy6oyhYb > sCRZZF3MQMk26IDZYLWUAacyl4DuM5M2XwG5Pma2OYM15SLoA0NyVfGFQVUIEEEF > /Z1H5PELcf80VoOgtHPNLBJRM1BTijteFdHGteYju6l0s1Gh1b9LFxDzJ+eYEwFS > jG2IsnmF7hBZJk10a7NXnWAK3NguCQMLSVJ4KlaLMc2rzAGHkiDvAj0h6o/3UuPz > rxl+d5behICgZxRv8DIRmIVdZAe/2SjChIbiFcyVbIgEEBiM9xuHZqsCkPRpKl1a > i5xXmG/K1dsoVzFJAFGeZFf3XV8/rOad0xHxPkAOd2UlxG6ilkqu7uoUOY8eTru0 > 3l8j2KGUcXqvZ0+GnsQAWD2Ge4PZ+VYc7ba2GWfENNLH1YIy4g4= > =r9xH > -----END PGP SIGNATURE----- > > The suspect org.eclipse.jetty.jndi_10.0.15.jar artifact found at > https://download.eclipse.org/staging/2023-09/plugins/ > > Has the following verification (which doesn't match the official release) > ... > > md5: 8f2d6b1e2acef3285e3a12f62042890c > sha1: 488a1601bae6f4d0357e6a4b4174e1dcfca068af > sha256: 623f2009671f0138495fd659622fd78e3153671a50a1c280aeb2410e9365b455 > > Digging into the contents of the suspect > org.eclipse.jetty.jndi_10.0.15.jar artifact I can see that it's been > modified. > It appears that the META-INF/MANIFEST.MF has been modified, now every > class has a SHA-256-Digest entry. > There are also a new META-INF/ECLIPSE_.SF and META-INF/ECLIPSE_.RSA > entries in the jar file (likely JAR signatures). > > The binary comparison of the contents of the official jar vs the eclipse > jar shows that only the 3 files mentioned above are different. > META-INF/MANIFEST.MF > META-INF/ECLIPSE_.SF > META-INF/ECLIPSE_.RSA > The rest of the files are identical to the official jetty-jndi 10.0.15 > artifact. > > I don't understand why Jetty is present anywhere on download.eclipse.org > in this molested form, the tycho-p2 information present on maven central > for Eclipse Jetty contains all of the validation, verification (3 kinds), > and signatures (2 kinds) to satisfy P2 without modifying the original > artifacts. The Jetty Tycho P2 maven repository is how the Eclipse Jetty > artifacts are meant to be consumed, not via these transient ancient Eclipse > P2 repositories. > > The Jetty Tycho P2 information on Maven Central -> > https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-p2/11.0.15/ > > Now, back to your error ... > 12:05:07 [ERROR] Problems downloading artifact: > osgi.bundle,org.eclipse.jetty.jndi,10.0.15.: > 12:05:07 [ERROR] MD5 hash is not as expected. Expected: > 785f479c6433717bee8e9bb94df56c11 and found 8f2d6b1e2acef3285e3a12f62042890c. > > The "Expected" hash value in your error is the official artifact md5 hash > value, the "found" hash value in your error is the md5 hash value for the > download.eclipse.org artifact. > > Of special note ... > > Over the past couple of years the Eclipse Jetty project has learned of > several projects that provide Supply Chain Auditing for anyone that is > concerned about that. > Every official release of Eclipse Jetty gets updated in these various > databases. > The process that these Ancient Eclipse P2 Repositories use, where we > modify various official artifacts with JAR signatures on every transient > build of these P2 repositories, is the reason the ancient Eclipse P2 > technique artifacts will never be recognized by any of those supply chain > databases as the official release of those artifacts. > Releasing the same artifacts as official releases at a later date, using > these ancient Eclipse P2 techniques, is just inviting failed audits (and > this isn't limited to Eclipse Jetty, it also includes any 3rd party jar/lib > that is modified by this ancient Eclipse P2 technique). > > - Joakim > > > On Mon, Aug 28, 2023 at 5:12 AM Ondrej Dockal via cross-project-issues-dev > <cross-project-issues-dev@eclipse.org> wrote: > >> Hey folks, >> >> in RedDeer build [1] we are facing an issue when running the tests with a >> checksum for org.eclipse.jetty.jndi. >> >> Error message: >> >> *12:05:07* [INFO] Fetching org.eclipse.jetty.util_10.0.15.jar from >> https://download.eclipse.org/staging/2023-09/plugins/ (557.33kB)*12:05:07* >> [INFO] Fetching org.eclipse.jetty.jndi_10.0.15.jar from >> https://download.eclipse.org/staging/2023-09/plugins/ (56.39kB)*12:05:07* >> [ERROR] An error occurred while transferring artifact canonical: >> osgi.bundle,org.eclipse.jetty.jndi,10.0.15 from repository >> https://download.eclipse.org/staging/2023-09:*12:05:07* [ERROR] Problems >> downloading artifact: osgi.bundle,org.eclipse.jetty.jndi,10.0.15.:*12:05:07* >> [ERROR] MD5 hash is not as expected. Expected: >> 785f479c6433717bee8e9bb94df56c11 and found 8f2d6b1e2acef3285e3a12f62042890c. >> >> >> Any hints? >> >> Regards, >> >> Ondrej >> >> [1]: >> https://ci.eclipse.org/reddeer/job/reddeer.verification.parametrized/136/console >> -- >> >> Ondrej Dockal >> >> Senior Software Quality Engineer, Developer QE >> >> Red Hat Czech, s.r.o. <https://www.redhat.com/> >> >> Purkyňova 111 >> >> Brno 612 00, Czech Republic >> >> odoc...@redhat.com >> <https://www.redhat.com/> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
