On Wed, Aug 26, 2009 at 11:28 AM, Martin Cooper<[email protected]> wrote: > On Wed, Aug 26, 2009 at 7:04 AM, Wes Wannemacher<[email protected]> wrote: >> Hey, I got that email last night from the henkp bot that checks sigs, >> after fixing up the KEYS file on people.a.o, > > I assume that, by "fixing up", you mean adding your own release > signing key? The KEYS file is checked into SVN, which is where it > should be modified. > > https://svn.apache.org/repos/asf/struts/maven/trunk/build/KEYS > > If what's on the site ever differs from what's in SVN, then that's > very bad, because it means we could have been hacked somehow. The file > should never be edited in place.
Yes, the file should be modified in SVN, but our steps indicate we should copy it out to people.a.o - http://struts.apache.org/2.x/docs/creating-and-signing-a-struts-21x-distribution.html#CreatingandSigningaStruts2.1.xDistribution-CreateaPGPkey If there is some other mechanism that should take care of this for us, it's probably broken because my public key is in the KEYS file, but my key never made it to the copy sitting on people.a.o, I had to push it out there manually. > >> I tried to check the >> signatures as a last minute sanity check and noticed that it seems >> like the jars that are deployed are different from the jars sitting on >> my machine from when I ran the release... For instance - >> >> (on people.a.o) >> $ shasum struts-annotations-1.0.5*.jar >> 40e6914b9ed3988ae38d141099b8a10af7992d8f >> struts-annotations-1.0.5-javadoc.jar >> e9dbf458c0f445d68b71789388a8ca6df426efcb >> struts-annotations-1.0.5-sources.jar >> 373013015e18b6cb6ae488c6755f7824f737c958 struts-annotations-1.0.5.jar >> >> (on my machine) >> $ shasum struts-annotations-1.0.5*jar >> a0a67a32990325d06b057c59aef1e974b2669b64 struts-annotations-1.0.5.jar >> dfa90f19763e9fa159377f0a105366735954e3f6 >> struts-annotations-1.0.5-javadoc.jar >> a8f2cd8275c50040f5c7d85657fcc877e54a6f66 >> struts-annotations-1.0.5-sources.jar >> >> So, of course, the detached sigs are failing as well... I kind of >> figure that it's related to the recent disk failure / restore from >> backup, but I'm not sure whether I should just SCP the copies out >> there or notify infra. Suggestions? > > If the files really are different, then we have a problem if the files > have made it out to mirrors, since I'm not sure that the mirrors will > pick up changed versions of the same files. You may need to check with > infra on that. It would be good if we can figure out how this > happened, too. I'm not sure a disk failure would cause this unless the > files are actually corrupted (which would obviously be a major issue > too!). > Sorry, folks, false alarm, I was looking at the wrong files on my hard-drive... Still learning maven. Apparently when you run the release:perform, it checks everything out into target/checkout and creates jars in target/checkout/target which are somehow slightly different from the jars sitting in target. I'll keep digging, but the hashes and signatures all seem to match now. -Wes -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
