As I mentioned in this email
https://www.eclipse.org/lists/cross-project-issues-dev/msg19723.html
it is already fixed in staging. You can verify that
https://download.eclipse.org/staging/2023-09/plugins/org.eclipse.jetty.jndi_10.0.15.jar
is not signed
and that it correctly matches the *original *md5 specified in the
artifacts.jar:
$md5sum org.eclipse.jetty.jndi_10.0.15\(4\).jar
785f479c6433717bee8e9bb94df56c11 *org.eclipse.jetty.jndi_10.0.15(4).jar
On 29.08.2023 10:54, Oleksii Korniienko via cross-project-issues-dev wrote:
Hi, I'm working with Ondrej on it.
Is it possible to update it somehow on "https://download.eclipse.org/"; ?
Best regards,
Oleksii Korniienko
On Mon, Aug 28, 2023 at 1:28 PM Joakim Erdfelt via
cross-project-issues-dev <cross-project-issues-dev@eclipse.org> wrote:
Since I'm the one that built Eclipse Jetty 10.0.15, let's see
what's going on ...
First, the official release of 10.0.15 ...
The official release does not live on a P2 repository anywhere on
download.eclipse.org <http://download.eclipse.org>
The official release exists as a maven (tycho) p2 artifact on
maven central.
The official release of the jetty-jndi 10.0.15 artifact has the
following verification ...
md5: 785f479c6433717bee8e9bb94df56c11
sha1: 7825525aae7c7e11e7cef57672e43e5e4d727856
sha256:
c01a1d2ea0ebac1565f4c8e92d1b5151daf14ac09502efd52f5536a59245cb16
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEWYm692IXuEPWa+VbLQ4fuP5LaLQFAmQ1mJ8ACgkQLQ4fuP5L
aLQYVQ/+ONbSADgGLnMxDSQ6A/tPo70citQMu4uNw6OE/eSb5kvya4cjRAxpbioD
vwcsDowHab2ydg4f+o9O+UnhKTUGxLFS+zjl42/WUlodgMFLZXf3mRJui19ful6P
pigeCdsasIBSgwu6ptq+ymKFLLwjH3P4jOip3pZkRujO9NsPDmtOX2biVjrK3VrW
6PHDh4ruxU9I2ApSgFjlYhbiYy4twhQiaEIwF5j5x2UUJGNbinRbmHpLe1OYy3AJ
70cpkd7jrRgwZ4r8TarKhUa2DiKncgm9lrDkLgoDrkQapGPxis5NSo0vXy6oyhYb
sCRZZF3MQMk26IDZYLWUAacyl4DuM5M2XwG5Pma2OYM15SLoA0NyVfGFQVUIEEEF
/Z1H5PELcf80VoOgtHPNLBJRM1BTijteFdHGteYju6l0s1Gh1b9LFxDzJ+eYEwFS
jG2IsnmF7hBZJk10a7NXnWAK3NguCQMLSVJ4KlaLMc2rzAGHkiDvAj0h6o/3UuPz
rxl+d5behICgZxRv8DIRmIVdZAe/2SjChIbiFcyVbIgEEBiM9xuHZqsCkPRpKl1a
i5xXmG/K1dsoVzFJAFGeZFf3XV8/rOad0xHxPkAOd2UlxG6ilkqu7uoUOY8eTru0
3l8j2KGUcXqvZ0+GnsQAWD2Ge4PZ+VYc7ba2GWfENNLH1YIy4g4=
=r9xH
-----END PGP SIGNATURE-----
The suspect org.eclipse.jetty.jndi_10.0.15.jar artifact found at
https://download.eclipse.org/staging/2023-09/plugins/
Has the following verification (which doesn't match the official
release) ...
md5: 8f2d6b1e2acef3285e3a12f62042890c
sha1: 488a1601bae6f4d0357e6a4b4174e1dcfca068af
sha256:
623f2009671f0138495fd659622fd78e3153671a50a1c280aeb2410e9365b455
Digging into the contents of the suspect
org.eclipse.jetty.jndi_10.0.15.jar artifact I can see that it's
been modified.
It appears that the META-INF/MANIFEST.MF has been modified, now
every class has a SHA-256-Digest entry.
There are also a new META-INF/ECLIPSE_.SF and
META-INF/ECLIPSE_.RSA entries in the jar file (likely JAR signatures).
The binary comparison of the contents of the official jar vs the
eclipse jar shows that only the 3 files mentioned above are different.
META-INF/MANIFEST.MF
META-INF/ECLIPSE_.SF
META-INF/ECLIPSE_.RSA
The rest of the files are identical to the official jetty-jndi
10.0.15 artifact.
I don't understand why Jetty is present anywhere on
download.eclipse.org <http://download.eclipse.org> in this
molested form, the tycho-p2 information present on maven central
for Eclipse Jetty contains all of the validation, verification (3
kinds), and signatures (2 kinds) to satisfy P2 without modifying
the original artifacts. The Jetty Tycho P2 maven repository is
how the Eclipse Jetty artifacts are meant to be consumed, not via
these transient ancient Eclipse P2 repositories.
The Jetty Tycho P2 information on Maven Central ->
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-p2/11.0.15/
Now, back to your error ...
12:05:07 [ERROR] Problems downloading artifact:
osgi.bundle,org.eclipse.jetty.jndi,10.0.15. <http://10.0.15.>:
12:05:07 [ERROR] MD5 hash is not as expected. Expected:
785f479c6433717bee8e9bb94df56c11 and found
8f2d6b1e2acef3285e3a12f62042890c.
The "Expected" hash value in your error is the official artifact
md5 hash value, the "found" hash value in your error is the
md5 hash value for the download.eclipse.org
<http://download.eclipse.org> artifact.
Of special note ...
Over the past couple of years the Eclipse Jetty project has
learned of several projects that provide Supply Chain Auditing for
anyone that is concerned about that.
Every official release of Eclipse Jetty gets updated in these
various databases.
The process that these Ancient Eclipse P2 Repositories use, where
we modify various official artifacts with JAR signatures on every
transient build of these P2 repositories, is the reason the
ancient Eclipse P2 technique artifacts will never be recognized by
any of those supply chain databases as the official release of
those artifacts.
Releasing the same artifacts as official releases at a later date,
using these ancient Eclipse P2 techniques, is just inviting failed
audits (and this isn't limited to Eclipse Jetty, it also includes
any 3rd party jar/lib that is modified by this ancient Eclipse P2
technique).
- Joakim
On Mon, Aug 28, 2023 at 5:12 AM Ondrej Dockal via
cross-project-issues-dev <cross-project-issues-dev@eclipse.org> wrote:
Hey folks,
in RedDeer build [1] we are facing an issue when running the
tests with a checksum for org.eclipse.jetty.jndi.
Error message:
*12:05:07* [INFO] Fetching org.eclipse.jetty.util_10.0.15.jar
fromhttps://download.eclipse.org/staging/2023-09/plugins/ (557.33kB)
*12:05:07* [INFO] Fetching org.eclipse.jetty.jndi_10.0.15.jar
fromhttps://download.eclipse.org/staging/2023-09/plugins/ (56.39kB)
*12:05:07* [ERROR] An error occurred while transferring
artifact canonical: osgi.bundle,org.eclipse.jetty.jndi,10.0.15
from repository https://download.eclipse.org/staging/2023-09:
*12:05:07* [ERROR] Problems downloading artifact:
osgi.bundle,org.eclipse.jetty.jndi,10.0.15. <http://10.0.15.>:
*12:05:07* [ERROR] MD5 hash is not as expected. Expected:
785f479c6433717bee8e9bb94df56c11 and found
8f2d6b1e2acef3285e3a12f62042890c.
Any hints?
Regards,
Ondrej
[1]:
https://ci.eclipse.org/reddeer/job/reddeer.verification.parametrized/136/console
--
Ondrej Dockal
Senior Software Quality Engineer, Developer QE
Red Hat Czech, s.r.o. <https://www.redhat.com/>
Purkyňova 111
Brno 612 00, Czech Republic
odoc...@redhat.com
<https://www.redhat.com/>
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
