[
https://issues.apache.org/jira/browse/LUCENE-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245632#comment-13245632
]
Dawid Weiss commented on LUCENE-3945:
-------------------------------------
{noformat}
reader = new BufferedReader(new FileReader(f));
{noformat}
Isn't this locale-sensitive? I think it should be explicit UTF-8 (or US-ASCII
for that matter).
{noformat}
+ String hexStr = Integer.toHexString(CHECKSUM_BYTE_MASK & digest[i]);
+ if (hexStr.length() < 2) {
+ checksum.append("0");
+ }
+ checksum.append(hexStr);
{noformat}
Isn't any of these simpler?
{noformat}
checksum.append(String.format(Locale.ENGLISH, "%02x", CHECKSUM_BYTE_MASK &
digest[i]));
{noformat}
or
{noformat}
char [] HEX = "0123456789abcdef".toCharArray();
int v = digest[i];
checksum.append(HEX[(v >>> 4) & 0x0F]).append(HEX & 0x0F);
{noformat}
> we should include checksums for every jar ivy fetches in svn & src releases
> to verify the jars are the ones we expect
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: LUCENE-3945
> URL: https://issues.apache.org/jira/browse/LUCENE-3945
> Project: Lucene - Java
> Issue Type: Task
> Reporter: Hoss Man
> Fix For: 3.6, 4.0
>
> Attachments: LUCENE-3945.patch
>
>
> Conversation with rmuir last night got me thinking about the fact that one
> thing we lose by using ivy is confidence that every user of a release is
> compiling against (and likely using at run time) the same dependencies as
> every other user.
> Up to 3.5, users of src and binary releases could be confident that the jars
> included in the release were the same jars the lucene devs vetted and tested
> against when voting on the release candidate, but with ivy there is now the
> possibility that after the source release is published, the owner of a domain
> where these dependencies are hosted might change the jars in some way w/o
> anyone knowing. Likewise: we as developers could commit an ivy.xml file
> pointing to a specific URL which we then use for and test for months, and
> just prior to a release, the contents of the remote URL could change such
> that a JAR included in the binary artifacts might not match the ones we've
> vetted and tested leading up to that RC.
> So i propose that we include checksum files in svn and in our source releases
> that can be used by users to verify that the jars they get from ivy match the
> jars we tested against.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
