On Wed, 24 Dec 2014 09:31:46 +0100, Luc Maisonobe wrote:
Le 24/12/2014 03:36, Gilles a écrit :
On Tue, 23 Dec 2014 14:02:40 +0100, luc wrote:
This is a [VOTE] for releasing Apache Commons Math 3.4 from release
candidate 3.
Tag name:
MATH_3_4_RC3 (signature can be checked from git using 'git tag
-v')
Tag URL:
<https://git-wip-us.apache.org/repos/asf?p=commons-math.git;a=commit;h=befd8ebd96b8ef5a06b59dccb22bd55064e31c34>
Is there a way to check that the source code referred to above
was the one used to create the JAR of the ".class" files.
[Out of curiosity, not suspicion, of course...]
Yes, you can look at the end of the META-INF/MANIFEST.MS file
embedded
in the jar. The second-to-last entry is called Implementation-Build.
It
is automatically created by maven-jgit-buildnumber-plugin and
contains
the SHA1 identifier of the last commit used for the build. Here, is
is
befd8ebd96b8ef5a06b59dccb22bd55064e31c34, so we can check it really
corresponds to the expected status of the git repository.
Can this be considered "secure", i.e. can't this entry in the MANIFEST
file be modified to be the checksum of the repository but with the
.class
files being substitued with those coming from another compilation?
Regards,
Gilles
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
