[
https://issues.apache.org/jira/browse/UIMA-6453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17536703#comment-17536703
]
Richard Eckart de Castilho commented on UIMA-6453:
--------------------------------------------------
It it appears that one should read the ASF release and signing policy such that
the sha512 requirement applies specifically to artifacts distributed through
https://downloads.apache.org but not necessarily convenience artifacts such as
those on Maven central. I checked the latest Apache Lucene 9.1.0 release on
Maven Central and they do not have SHA512 hashes there.
I'll still fix the attachment of the SHA512 hashes.
Working on this, I tried attaching a hash for the POM files as well. However,
that is tricky. The {{checksum-maven-plugin}}'s {{artifacts-checksum}} goal
does not attach a signature on the POM. If I use an additional {{files}} goal,
it attaches the POM's signature using a spurious {{null}} classifier in the
filename. If turn of attachment in the {{files}} goal and instead manually
attach using the {{maven-build-helper-plugin}}, it works for {{jar}} modules,
but not for {{pom}} modules where it fails with the message
{noformat}
Execution attach-pom-checksum of goal
org.codehaus.mojo:build-helper-maven-plugin:3.3.0:attach-artifact failed: For
artifact {org.apache.uima:uimaj-parent:3.3.1-SNAPSHOT:pom}: An attached
artifact must have a different ID than its corresponding main artifact.
{noformat}
So I'll leave it at SHA512 hash files for the JARs but not for the POM.
> Invalid SHA512 generated for Maven artifacts
> --------------------------------------------
>
> Key: UIMA-6453
> URL: https://issues.apache.org/jira/browse/UIMA-6453
> Project: UIMA
> Issue Type: Bug
> Components: Build, Packaging and Test
> Affects Versions: 3.2.0uimaFIT, 3.2.0SDK, 3.1.0ruta, 3.3.0SDK
> Reporter: Richard Eckart de Castilho
> Assignee: Richard Eckart de Castilho
> Priority: Major
> Fix For: 3.3.0uimaFIT, parent-pom-15, 3.3.1SDK, 3.2.0ruta
>
>
> The SHA512 signature files we generate for the Maven artifacts overwrite each
> other. E.g. in the recent uimaFIT 3.3.0 RC 2, I found:
> {noformat}
> % cat
> org/apache/uima/uimafit-maven-plugin/3.3.0/uimafit-maven-plugin-3.3.0.sha512
> 4db94daceccf1727b1620a20a708eb1830a95fa8ad967219ad7fff537bf845055174f659b43f3bb827cd1296d4608c10b3f36306a76da4dd27af50a45517bb2f
> uimafit-maven-plugin-3.3.0-javadoc.jar
> {noformat}
> Looking at Maven Central, I can see such bad signatures in multiple releases:
> *UIMAJ*
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.1.1/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.2.0/ - BAD
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-core/3.3.0/ - BAD
> (latest version)
>
> *uimaFIT*
> * https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.1.0/ - looks
> ok
> * https://repo1.maven.org/maven2/org/apache/uima/uimafit-core/3.2.0/ - BAD
> (latest version)
>
> *RUTA*
> * https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.0.1/ - looks ok
> * https://repo1.maven.org/maven2/org/apache/uima/ruta-core/3.1.0/ - BAD
> (latest version)
> *UIMA-AS*
> * https://repo1.maven.org/maven2/org/apache/uima/uimaj-as-core/2.9.0/ - last
> release seems to have been before the SHA512 requirement
> *DUCC*
> * https://repo1.maven.org/maven2/org/apache/uima/uima-ducc-common/3.0.0/ -
> looks ok (latest version)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
