That's perfect - Its sort of inline with what I was thinking and had locally but just the 'nosignature' part and the different hash's was confusing me.
Thanks for the explaination! John On 11 October 2017 at 06:35, Antonio <[email protected]> wrote: > > > On 11/10/17 00:59, John McDonnell wrote: >>>> >>>> 2. >>>> >>>> There's 1 external dependency here: >>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 >>>> org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar >>>> >>>> I'm not sure about the nosignature part, but I can find[1] this >>>> version which I guess is the same one, but when I change the >>>> binaries-list file to use >>>> B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 >>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r >>>> >>>> I got an error as the hash was wrong and had to change it to be: >>>> 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5 >>>> org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r >>>> >>>> Should I be viewing this as a potential question mark, or is it okay? >>> >>> >>> >>> Enter the SHA-1 Checksum at the bottom of this page: >>> >>> http://search.maven.org/#advancedsearch >>> >>> And doublecheck that the version (name, etc.) is correct. >> >> >> Nope, that hash didn't return anything from that search tool. > > > This is confusing, I know, so please let me try to explain myself again. > > It's normal that the original SHA1 sum (B580E446B54... ) is NOT in maven > central. This is so because ages ago the original jar binary file was > uploaded to the NetBeans repository by the NSA/KGB/CIA guys :-D. > > The idea is to look up the jar again in maven central and fetch a proper > binary hash sum. The error suggests (47D59DF...). > > What I meant when I said "doublecheck that the version is correct" is that > we should now check this new checksum in the > http://search.maven.org/#advancedsearch page. If we do so we get [1], which > looks correct (same artifact name, same version) for this binary. > > So now we can get rid of that NSA/KGB binary that was once placed there in > the NetBeans repository (with that B580E... checksum), and replace it with > one from Maven central (with that 47D59DF... checksum). This is safer, > because NSA/KGB have new hacking techniques and do deliver now new official > binaries from maven central. :-D > > So, to summarize, we once had this line in the binaries-list file: > > B580E446B543A8DD2F5AA368B07F9C4C9C2E7029 > org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar > > With a SHA-1 sum that is NOT in maven central, and we now have to replace it > with > > 47D59DFFB5F02470CCFB6C1A5A31B6040A1636E5 > org.eclipse.jgit:org.eclipse.jgit:3.6.2.201501210735-r > > With corresponds to the official maven binary, with the latest NSA/KGB > patches applied. > > > [1] > http://search.maven.org/#search%7Cga%7C1%7C1%3A%2247D59DFFB5F02470CCFB6C1A5A31B6040A1636E5%22 > >> >>> If the name of the jar file is different from the original entry you'll >>> have >>> to update nbproject/project.xml and nbproject/project.properties. In your >>> case the original file had a '_nosignature' thing there, which is missing >>> in >>> the file downloaded from central. > > > The original binary was named > > org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar > > And the one from maven central is named differently: > > org.eclipse.jgit-3.6.2.201501210735-r.jar > > So we'll have to modify nbproject/project.properties and > nbproject/project.xml to reflect this name change. > > In project.properties we see > > release.external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar=modules/org-eclipse-jgit.jar > > That should be changed to > > release.external/org.eclipse.jgit-3.6.2.201501210735-r.jar=modules/org-eclipse-jgit.jar > > (removing the _nosignature stuff) > > and in project.xml > > <class-path-extension> > > <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path> > > <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r_nosignature.jar</binary-origin> > </class-path-extension> > > should now look like: > > > <class-path-extension> > > <runtime-relative-path>org-eclipse-jgit.jar</runtime-relative-path> > > <binary-origin>external/org.eclipse.jgit-3.6.2.201501210735-r.jar</binary-origin> > </class-path-extension> > > (removing the _nosignature suffix) > > To verify that these changes are correct just run "ant test" in the module > directory. > > > [2] > http://repo1.maven.org/maven2/org/eclipse/jgit/org.eclipse.jgit/3.6.2.201501210735-r/ > > >> >> No worries, thanks for the advice. I might move this to one side and >> start another module tomorrow and come back to it. >> > > Ok. Let me know if you need help (but I'll be offline for a few hours from > now). > > Cheers, > Antonio > > -- John
