Benjamin Marwell created MDEPLOY-290:
----------------------------------------
Summary: m-deploy-p will create hashes for hashes
Key: MDEPLOY-290
URL: https://issues.apache.org/jira/browse/MDEPLOY-290
Project: Maven Deploy Plugin
Issue Type: Bug
Components: deploy:deploy
Affects Versions: 3.0.0-M2, 2.8.2
Reporter: Benjamin Marwell
Hi everyone,
recent ASF parent pom will create hashes for source-release-zip files using the
checksum-maven-plugin.
However, the SHIRO project decided to hash ALL artifacts:
{code:xml}
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<configuration>
<excludes>
<!-- default config -->
<exclude>**/*.md5</exclude>
<exclude>**/*.sha1</exclude>
<exclude>**/*.sha256</exclude>
<exclude>**/*.sha512</exclude>
<exclude> **/*.asc</exclude>
<!-- additional hashes -->
<exclude>**/*.sha3512</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>net.nicoulaj.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
<version>1.11</version>
<executions>
<execution>
<id>source-release-checksum</id>
<phase>none</phase>
</execution>
<execution>
<id>main-artifact-checksum</id>
<phase>verify</phase>
<goals>
<goal>artifacts</goal>
</goals>
</execution>
</executions>
<configuration>
<algorithms>
<algorithm>SHA-256</algorithm>
<algorithm>SHA-512</algorithm>
<algorithm>SHA3-512</algorithm>
</algorithms>
<csvSummary>false</csvSummary>
<!--
attach checksums as well to upload to Maven
Staging Repo,
as this eases uploading from stage to dist and
doesn't do harm in Maven Central
-->
<attachChecksums>true</attachChecksums>
</configuration>
</plugin>
{code}
Now as you can see, gpg plugin had to be extended, but we also create *.sha3512
files. Those and all other hashes are being hashed by the deploy plugin, though:
{code}
$ ls -1F ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/*sources*
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.asc
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.md5
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha1
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256.md5
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256.sha1
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512.md5
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512.sha1
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512.md5
./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512.sha1
{code}
Notice the *.sha512.md1 and *.sha512.sha1 files.
Currently there is no exclusion possible.
Therefore:
* Let's add an exclusion parameter for hashing, similar to gpg's one.
* set a sane default (to be discussed).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
