This is great detective work. Thank you so much for looking into this Aurelien!
I'll pick up from here late Saturday or early Sunday. Thanks, Gregor On Tue, Dec 16, 2025 at 3:07 PM Aurelien Pupier via dev <[email protected]> wrote: > > @Gregor > I pushed a > commit<https://github.com/apache/camel/commit/b5060ccf49380f7e1f4d71f30b841fd0673dcb9d> > to the camel-4.14.3<https://github.com/apache/camel/tree/release/4.14.3> > branch which will avoid the false positive from the scanner. > You can rebuild and push another staging repository based on this build when > you have time. > ________________________________ > From: Aurelien Pupier via dev <[email protected]> > Sent: Tuesday, December 16, 2025 2:36 PM > To: Claus Ibsen <[email protected]>; [email protected] > <[email protected]> > Cc: Aurelien Pupier <[email protected]> > Subject: [EXTERNAL] RE: Problem closing staging repository > > I'm realizing that given that the version is part of the pom, it means that > when we will move to a different version, it will change the md5 anyway so we > won't need the specific change > > ________________________________ > From: Claus Ibsen <[email protected]> > Sent: Tuesday, December 16, 2025 2:31 PM > To: [email protected] <[email protected]> > Cc: Aurelien Pupier <[email protected]> > Subject: [EXTERNAL] Re: Problem closing staging repository > > Hi Aurelien Thanks a lot for the help. So lets update this pom file, such as > adding some <!-- blah blah blah --> or something. And if we need to rebuild > the release, then Gregor maybe then include the newer commits so we get the > stuff > > Hi Aurelien > > Thanks a lot for the help. > > So lets update this pom file, such as adding some <!-- blah blah blah --> or > something. > > And if we need to rebuild the release, then Gregor maybe then include the > newer commits so we get the stuff that included that is for 4.14.4 as well. > > > On Tue, Dec 16, 2025 at 2:19 PM Aurelien Pupier via dev > <[email protected]<mailto:[email protected]>> wrote: > Hi, > > It seems to be the camel-jbang-main.pom which is causing the false positive. > it is the only one which has a checksum which is starting with 07070. > > More precisely: > 070702d0bfee415543562bceb0a5d862 > camel-jbang-main/4.14.3/camel-jbang-main-4.14.3.pom > > So modifying the camel jbang main pom and rebuild, should do the trick > > regards, > > > ________________________________ > From: Aurélien Pupier <[email protected]<mailto:[email protected]>> > Sent: Tuesday, December 16, 2025 1:14 PM > To: [email protected]<mailto:[email protected]> > <[email protected]<mailto:[email protected]>> > Subject: [EXTERNAL] Re: Problem closing staging repository > > Hello, > > On Tue, Dec 16, 2025 at 10:06 AM Claus Ibsen > <[email protected]<mailto:[email protected]>> wrote: > > > Hi > > > > 1) > > Is this only for camel-core project, and not camel-spring-boot? > > > > 2) > > I wonder if we have similar problem on main branch if we attempt to release > > it as 4.17.0 ? > > > > 3) > > I wonder if we redo a 4.14.3 with latest code from camel-4.14.x branch (new > > code since current attempt) does it work then? > > > > 4) > > I guess we don't know which file sonartype complains about, and as such its > > not easy to find out. There is no additional logging? > > > > In a previous message, it was mentioning a way to find it which is to go > through all MD5 files and search for a specific pattern at the beginning of > the file. > Can you point me to the nexus repository causing problem, i can try to > download it and then try to search in it. > > or the way to generate the MD5 with build locally? > > > > > > 5) > > Are there other ASF projects that releases without MD5 hashes? (see my > > other mail thread). > > IMHO those are outdated today, and we should consider dropping them and > > jump from SHA1 to SHA256. > > But finding other ASF projects releasing that way would be good to see its > > already done, and this can help us analyze what we can do to upgrade. > > Maybe this is better for newer releases like 4.17 or later. But if all > > above fails and this is the only way to do 4.14.3 release then we can try > > this. > > > > 6) > > Any other ideas? > > > > > > > > On Mon, Dec 15, 2025 at 5:23 PM Gregor Zurowski > > <[email protected]<mailto:[email protected]>> > > wrote: > > > > > Hi Everyone: > > > > > > I wasn't able to resolve this. Therefore, I have created the following > > > ticket for the INFRA team: > > > https://issues.apache.org/jira/browse/INFRA-27498 > > > <https://issues.apache.org/jira/browse/INFRA-27498 > . > > > > > > Thanks, > > > Gregor > > > > > > On Thu, Dec 11, 2025 at 10:33 PM Claus Ibsen > > > <[email protected]<mailto:[email protected]>> > > > wrote: > > > > > > > > Hi > > > > > > > > And here is another Grok AI reply (think harder mode) > > > > https://grok.com/share/c2hhcmQtNQ_2c900d4c-f6e5-401a-9162-d526ac50c514 > > > > <https://grok.com/share/c2hhcmQtNQ_2c900d4c-f6e5-401a-9162-d526ac50c514 > > > > > > > > > > > > > > > > > > > > > The error you're encountering during the staging repository closure is > > > due > > > > to Nexus's security validation rule > > > ("no-traversal-paths-in-archive-file") > > > > misidentifying one of your uploaded MD5 checksum files (e.g., something > > > > like `artifact-name.pom.md5` or `artifact-name.jar.md5`) as a > > compressed > > > > archive file (specifically, a cpio format archive). This happens > > because > > > > the content of that particular MD5 file starts with a string like > > > "070701" > > > > or "070702", which matches the magic number for cpio archives. > > > > > > > > When Nexus attempts to inspect it as an archive to check for insecure > > > paths > > > > (e.g., path traversal vulnerabilities), the parsing fails because it's > > > not > > > > actually an archive—it's just a text file containing a hash and > > filename. > > > > This leads to the WalkerException and the nested > > IllegalArgumentException > > > > about the "unknown mode," as the random bytes in the file don't conform > > > to > > > > a valid cpio header structure (e.g., the mode field is interpreted as > > > > invalid hex like "5543562b"). > > > > > > > > ### How to Identify the Problematic File > > > > - Log in to your Sonatype Nexus OSSRH account and view the contents of > > > the > > > > staging repository (`orgapachecamel-1911`). > > > > - Download all the .md5 files. > > > > - Open them in a text editor or hex viewer and check which one starts > > > with > > > > "07070..." (e.g., "070702xxxxxxxx filename"). > > > > > > > > ### Solutions > > > > - **Short-term workaround:** Slightly modify the artifact associated > > with > > > > the problematic .md5 file (e.g., add a space in a comment or update a > > > > non-functional part of the POM) to regenerate a new hash that doesn't > > > start > > > > with the conflicting magic number. Then, redeploy to a new staging > > > > repository. > > > > - **Alternative:** Bump the version number of the affected artifact > > > (e.g., > > > > from x.y.z to x.y.z+1) and redeploy. This will change the hash and > > avoid > > > > the issue. > > > > - **Long-term recommendation:** Consider generating and uploading > > > stronger > > > > checksums like SHA-256 (.sha256 files) alongside or instead of > > MD5/SHA1, > > > as > > > > longer hashes reduce the chance of magic number collisions. Update your > > > > Maven build configuration to include this (e.g., via the > > > > `maven-assembly-plugin` or `maven-deploy-plugin`). Sonatype supports > > > > SHA-256, and it may help avoid similar edge cases in the future. > > > > - If this persists across versions or you can't modify the artifacts, > > > > contact Sonatype support via their OSSRH Jira > > > > (issues.sonatype.org<http://issues.sonatype.org >) > > and > > > > provide the staging repo ID and error logs for assistance—they may be > > > able > > > > to override or investigate server-side. > > > > > > > > This is a known edge case in Nexus (versions around 2.x and 3.x), > > > stemming > > > > from content-based file type detection prioritizing magic numbers over > > > file > > > > extensions in some scenarios. > > > > > > > > On Thu, Dec 11, 2025 at 10:09 PM Gregor Zurowski < > > > [email protected]<mailto:[email protected]>> > > > > wrote: > > > > > > > > > Hi Everyone: > > > > > > > > > > I have built the Camel 4.14.3 release candidate, but I am getting the > > > > > following error when attempting to close the staging repository in > > > > > Nexus: > > > > > > > > > > ``` > > > > > Event: Failed: Archives must not contain insecure paths > > > > > > > > > > typeId no-traversal-paths-in-archive-file > > > > > failureMessage Rule evaluation unexpectedly failed: > > > > > org.sonatype.nexus.proxy.walker.WalkerException: Aborted walking on > > > > > repository ID='orgapachecamel-1911' from path='/'. > > > > > x.x.causedBy.1 java.lang.IllegalArgumentException: Unknown mode. > > Full: > > > > > 5543562b Masked: 5000 > > > > > x.x.causedBy.0 org.sonatype.nexus.proxy.walker.WalkerException: > > > > > Aborted walking on repository ID='orgapachecamel-1911' from path='/'. > > > > > ``` > > > > > > > > > > Any ideas what might be causing this? > > > > > > > > > > Thanks in advance, > > > > > Gregor > > > > > > > > > > > > > > > > > -- > > > > Claus Ibsen > > > > > > > > > -- > > Claus Ibsen > > > > Unless otherwise stated above: > > Compagnie IBM France > Siège Social : 17, avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 664 614 175,50 € > SIRET : 552 118 465 03644 - Code NAF 6203Z > > > -- > Claus Ibsen > > Unless otherwise stated above: > > Compagnie IBM France > Siège Social : 17, avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 664 614 175,50 € > SIRET : 552 118 465 03644 - Code NAF 6203Z > > Unless otherwise stated above: > > Compagnie IBM France > Siège Social : 17, avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 664 614 175,50 € > SIRET : 552 118 465 03644 - Code NAF 6203Z
