Re: [platform-dev] Signed content

[Sravan K Lakkimsetti]

I don’t this mail is in good intentions. This is really offending and upsetting.

 

This was not reported with the repository analysers either in platform 

  or simrel 
 . 

Here is the output of jarsigner when I ran on org.eclipse.jetty.util.ajax

 

C:\Users\SRAVANLAKKIMSETTI\Downloads>"c:\EclipseTest\JAVA\jdk-11.0.10+9\bin\jarsigner.exe"
 -verify org.eclipse.jetty.util.ajax_10.0.2.jar

 

jar verified.

 

We do have a test in platform to verify unsigned content in the repository. 
That test will fail if any bundle is reported as unsigned. This is based on the 
repository analyser report generated during the build. We have been using this 
for quite some time. I myself has stopped simrel contribution multiple times 
the moment I notice a problem with signing.

 

I don’t see a problem when the jarsigner returns as success.

 

-Sravan

 

 

From: Ed Merks  
Sent: 02 May 2021 13:41
To: Eclipse platform general developers list. ; Cross 
project issues ; Eclipse Planning Council 
; eclipse-ide...@eclipse.org
Subject: [EXTERNAL] [platform-dev] Signed content

 

Hi, I am assume from observation that the platform team has decided to change 
its signing policy to not physically sign some jars anymore:   
https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.20-I-builds/index.html
 ZjQcmQRYFpfptBannerStart 




This Message Is From an External Sender 


This message came from outside your organization. 

ZjQcmQRYFpfptBannerEnd



Hi,

I am assume from observation that the platform team has decided to change its 
signing policy to not physically sign some jars anymore:

  
https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.20-I-builds/index.html

This of course propagates to SimRel:

  
https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/staging/2021-06/index.html

I don't recall a Planning Council policy decision to drop/change the need for 
signed jars.  I don't know the full impact this has on the installer nor on 
consumers.   The installer at least appears to happily install such things and 
the IDE presents such things to the user as if they are signed:



Slowly I get the feeling that SimRel is a no longer process where we all work 
together as a team.  Rather it feels as if the platform team can and does 
unilaterally make decisions for everyone else.

Regards,
Ed

 


___
platform-dev mailing list
platform-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/platform-dev

[platform-dev] Signed content

[Ed Merks]

Hi,

I am assume from observation that the platform team has decided to 
change its signing policy to not physically sign some jars anymore:


https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.20-I-builds/index.html

This of course propagates to SimRel:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/staging/2021-06/index.html

I don't recall a Planning Council policy decision to drop/change the 
need for signed jars.  I don't know the full impact this has on the 
installer nor on consumers.   The installer at least appears to happily 
install such things and the IDE presents such things to the user as if 
they are signed:


Slowly I get the feeling that SimRel is a no longer process where we all 
work together as a team.  Rather it feels as if the platform team can 
and does unilaterally make decisions for everyone else.


Regards,
Ed


___
platform-dev mailing list
platform-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/platform-dev