[
https://issues.apache.org/jira/browse/LUCENE-5185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13746924#comment-13746924
]
Steve Rowe commented on LUCENE-5185:
------------------------------------
bq. it was totally intentional: LUCENE-4267
Thanks for the pointer, I guess I didn't realize at the time that checksums
were included.
{quote}
bq. They should not be there.
Thats your personal opinion: I disagree (please see the issue for discussion).
{quote}
AFAICT, the only discussion that happened there that's applicable to the
checksums was your rationale in the issue description:
bq. additional verification for consumers.
Is there some other discussion I'm missing?
I don't disagree that consumers could theoretically use the checksums to verify
3rd party .jar integrity, but:
# We don't provide checksums for our own .jars, or for anything else in the
binary distributions - why are 3rd party jars special in this regard?
# Jenkins regularly validates the checksums against the files Ivy downloads,
and the smoke checker runs 'ant validate' against the source distribution,
which indirectly validates the integrity of the 3rd party jars included in the
binary distribution.
Maybe the smoke tester could be modified to directly test the checksums against
the binary artifacts' 3rd party jars?
My thinking here is that we should keep our distributions lean, including only
the things that must be there, and I don't think these checksum files qualify.
> licenses/*.jar.sha1 don't belong in Lucene and Solr binary distributions
> ------------------------------------------------------------------------
>
> Key: LUCENE-5185
> URL: https://issues.apache.org/jira/browse/LUCENE-5185
> Project: Lucene - Core
> Issue Type: Improvement
> Components: general/build
> Reporter: Steve Rowe
> Assignee: Steve Rowe
> Priority: Minor
> Fix For: 5.0, 4.5
>
>
> On LUCENE-3945, where external dependency checksum verification was put in
> place, [[email protected]] wrote:
> bq. So i propose that we include checksum files in svn and in our source
> releases that can be used by users to verify that the jars they get from ivy
> match the jars we tested against.
> That is, checksum files in *binary* distributions was not part of the
> proposal.
> And [in his comment associated with the final
> patch|https://issues.apache.org/jira/browse/LUCENE-3945?focusedCommentId=13246476&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13246476]:
> bq. 2) fixes the binary releases to exlcude the sha1 files
> Somewhere between then and now, {{\*.jar.sha1}} files snuck back into the
> Lucene and Solr binary releases, under the {{licenses/}} directory. They
> should not be there.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
