Lucene - Core
  1. Lucene - Core
  2. LUCENE-3945

we should include checksums for every jar ivy fetches in svn & src releases to verify the jars are the ones we expect

    Details

    • Type: Task Task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6, 4.0-ALPHA
    • Component/s: None
    • Labels:
      None
    • Lucene Fields:
      New

      Description

      Conversation with rmuir last night got me thinking about the fact that one thing we lose by using ivy is confidence that every user of a release is compiling against (and likely using at run time) the same dependencies as every other user.

      Up to 3.5, users of src and binary releases could be confident that the jars included in the release were the same jars the lucene devs vetted and tested against when voting on the release candidate, but with ivy there is now the possibility that after the source release is published, the owner of a domain where these dependencies are hosted might change the jars in some way w/o anyone knowing. Likewise: we as developers could commit an ivy.xml file pointing to a specific URL which we then use for and test for months, and just prior to a release, the contents of the remote URL could change such that a JAR included in the binary artifacts might not match the ones we've vetted and tested leading up to that RC.

      So i propose that we include checksum files in svn and in our source releases that can be used by users to verify that the jars they get from ivy match the jars we tested against.

      1. LUCENE-3945_trunk_jar_sha1.patch
        40 kB
        Hoss Man
      2. LUCENE-3945_trunk_jar_sha1.patch
        38 kB
        Hoss Man
      3. LUCENE-3945_trunk_jar_sha1.patch
        34 kB
        Hoss Man
      4. LUCENE-3945.patch
        5 kB
        Hoss Man
      5. LUCENE-3945.patch
        5 kB
        Hoss Man
      6. LUCENE-3945.patch
        4 kB
        Hoss Man

        Activity

        Uwe Schindler made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Robert Muir made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hoss Man made changes -
        Attachment LUCENE-3945_trunk_jar_sha1.patch [ 12521343 ]
        Hoss Man made changes -
        Attachment LUCENE-3945_trunk_jar_sha1.patch [ 12521331 ]
        Hoss Man made changes -
        Attachment LUCENE-3945_trunk_jar_sha1.patch [ 12521263 ]
        Hoss Man made changes -
        Attachment LUCENE-3945.patch [ 12521252 ]
        Hoss Man made changes -
        Attachment LUCENE-3945.patch [ 12521245 ]
        Hoss Man made changes -
        Field Original Value New Value
        Attachment LUCENE-3945.patch [ 12521187 ]
        Hoss Man created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Hoss Man
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development