For me this covers two aspects: * security: it should be suspicious that the same version of a JAR has a different hash based on where we find it. That's why we should manually compare the JARs and see if it's something trivial (like, different timestamps in the JAR file) or serious (different .class files, new / missing .class files).
* stability. We are less likely to introduce regressions if we stick to the same binary. The IP clearance process is not about introducing new things and updating versions but just about deciding provenance and such. Ideally, at the end of the process we should have identical files, just cleared from a legal perspective. --emi >-------- Original Message -------- >Subject: Why are signed jars a problem? >Local Time: October 31, 2017 12:56 PM >UTC Time: October 31, 2017 10:56 AM >From: [email protected] >To: [email protected] > >Picking up some more modules to review and I can see some of you go to > great length to find external binary in Maven Central (or elsewhere), even > where an exact match doesn't exist. (by exact match I mean where the hash > doesn't match) > > More specifically: > > Some external jars in the old NetBeans build have been stripped of their > signatures. Why? > > See Matthias' comment here: >https://github.com/apache/incubator-netbeans/pull/118#issuecomment-336624270 > > In general: How much should I try to find the external binary in some repo? >
