Uploaded image for project: 'Bigtop'
  1. Bigtop
  2. BIGTOP-3052

Maven version is fixed in security verification code

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.0
    • Fix Version/s: 1.3.0
    • Component/s: toolchain
    • Labels:
      None

      Description

      In BIGTOP-2379, the maven.pp has been refactored using $mvnversion for versioning:

      https://github.com/apache/bigtop/commit/d401eda870a2abfed2b897ed488ee2a571678e68#diff-f5c19b3a16072bc1633fd8db96c6698cR18

      In BIGTOP-3037, secure download for maven was introduced. However, the version is fixed to 3.5.3

      https://github.com/apache/bigtop/commit/980e1883a66256b904cdcd11419f5745880ec55a#diff-f5c19b3a16072bc1633fd8db96c6698cR30

       When maven version automatically upgraded (BIGTOP-3031), the version of downloaded maven and the signature diverse.

       

       

      Ref: https://ci.bigtop.apache.org/view/Docker/job/Docker-Toolchain-Trunk/OS=centos-7/96/console 

      The error log when building bigtop/slaves images:

      Notice: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]/returns]
      : Connecting to www.apache.org (www.apache.org)|95.216.24.32|:443... connected.
      Notice: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]/returns]
      : HTTP request sent, awaiting response... 404 Not Found
      Notice: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]/returns]
      : 2018-07-06 02:24:14 ERROR 404: Not Found.
      Error: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]
      ]: Failed to call refresh: /usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]
       returned 8 instead of one of [0]
      Error: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]
      ]: /usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]
       returned 8 instead of one of [0]
      Notice: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/gpg2 -v --verify --auto-key-retrieve --keyserver hkp://keyserver.ubuntu.com:80 apache-maven-3.5.4-bin.tar.gz.asc]: Dependency Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]
      ] has failures: true
      Warning: /Stage[main]/Bigtop_toolchain::Maven/Exec[/usr/bin/gpg2 -v --verify --auto-key-retrieve --keyserver hkp://keyserver.ubuntu.com:80 apache-maven-3.5.4-bin.tar.gz.asc]: Skipping because of failed dependencies
      Notice: /Stage[main]/Bigtop_toolchain::Maven/Exec[/bin/tar xvzf /usr/src/apache-maven-3.5.4-bin.tar.gz]: Dependency Exec[/usr/bin/wget 
      [https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.4-bin.tar.gz.asc]
      ] has failures: true
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                evans_ye Evans Ye
                Reporter:
                evans_ye Evans Ye
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: