[jira] [Resolved] (LUCENE-3945) we should include checksums for every jar ivy fetches in svn & src releases to verify the jars are the ones we expect

Wed, 04 Apr 2012 12:03:41 -0700 

     [ 
https://issues.apache.org/jira/browse/LUCENE-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Muir resolved LUCENE-3945.
---------------------------------

    Resolution: Fixed

Backported to 3.x

Thanks Hoss!
                
> we should include checksums for every jar ivy fetches in svn & src releases 
> to verify the jars are the ones we expect
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: LUCENE-3945
>                 URL: https://issues.apache.org/jira/browse/LUCENE-3945
>             Project: Lucene - Java
>          Issue Type: Task
>            Reporter: Hoss Man
>             Fix For: 3.6, 4.0
>
>         Attachments: LUCENE-3945.patch, LUCENE-3945.patch, LUCENE-3945.patch, 
> LUCENE-3945_trunk_jar_sha1.patch, LUCENE-3945_trunk_jar_sha1.patch, 
> LUCENE-3945_trunk_jar_sha1.patch
>
>
> Conversation with rmuir last night got me thinking about the fact that one 
> thing we lose by using ivy is confidence that every user of a release is 
> compiling against (and likely using at run time) the same dependencies as 
> every other user.
> Up to 3.5, users of src and binary releases could be confident that the jars 
> included in the release were the same jars the lucene devs vetted and tested 
> against when voting on the release candidate, but with ivy there is now the 
> possibility that after the source release is published, the owner of a domain 
> where these dependencies are hosted might change the jars in some way w/o 
> anyone knowing.  Likewise: we as developers could commit an ivy.xml file 
> pointing to a specific URL which we then use for and test for months, and 
> just prior to a release, the contents of the remote URL could change such 
> that a JAR included in the binary artifacts might not match the ones we've 
> vetted and tested leading up to that RC.
> So i propose that we include checksum files in svn and in our source releases 
> that can be used by users to verify that the jars they get from ivy match the 
> jars we tested against.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to