[
https://issues.apache.org/jira/browse/LUCENE-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245636#comment-13245636
]
Steven Rowe commented on LUCENE-3945:
-------------------------------------
bq. it can also detect ivy cache corrumption.
I have encountered cache corrumption: AFAICT a truncated jar file
(tika-parsers-1.0.jar); killing the cache fixed the problem. We could add a
{{clean-ivy-cache}} target calling [the target Ivy
provides|http://ant.apache.org/ivy/history/2.2.0/use/cleancache.html].
> we should include checksums for every jar ivy fetches in svn & src releases
> to verify the jars are the ones we expect
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: LUCENE-3945
> URL: https://issues.apache.org/jira/browse/LUCENE-3945
> Project: Lucene - Java
> Issue Type: Task
> Reporter: Hoss Man
> Fix For: 3.6, 4.0
>
> Attachments: LUCENE-3945.patch
>
>
> Conversation with rmuir last night got me thinking about the fact that one
> thing we lose by using ivy is confidence that every user of a release is
> compiling against (and likely using at run time) the same dependencies as
> every other user.
> Up to 3.5, users of src and binary releases could be confident that the jars
> included in the release were the same jars the lucene devs vetted and tested
> against when voting on the release candidate, but with ivy there is now the
> possibility that after the source release is published, the owner of a domain
> where these dependencies are hosted might change the jars in some way w/o
> anyone knowing. Likewise: we as developers could commit an ivy.xml file
> pointing to a specific URL which we then use for and test for months, and
> just prior to a release, the contents of the remote URL could change such
> that a JAR included in the binary artifacts might not match the ones we've
> vetted and tested leading up to that RC.
> So i propose that we include checksum files in svn and in our source releases
> that can be used by users to verify that the jars they get from ivy match the
> jars we tested against.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
