Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 346824

Summary: Unsigned jars in Indigo ...
Product: Community Reporter: David Williams <david_williams>
Component: Cross-ProjectAssignee: David Williams <david_williams>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: igor, stepper
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on:    
Bug Blocks: 346976    
Attachments:
Description Flags
full listing of unsigned jars in Indigo RC1 repo
none
down to 226 for RC2 ... none

Description David Williams CLA 2011-05-23 02:45:50 EDT 
I'm sure everyone knows by now that to be in the "common repository" requires your jars to be signed. 

I've tested the repo for Indigo RC1 and found about 350 were not (and about 6500 were) ... these numbers include jars and pack.gz files both. 

It seems like the "number of projects" that still need to sign is small, though. I'll attach complete list of unsigned jars, but here's the summary, based on name spaces. 

   antenna.preprocessor.v3_1.3.0.201103211802.jar
   com.ning.async-http-client_1.6.3.201105171436.jar
   de.schlichtherle.truezip_6.6.0.201103211802.jar
   jmunit.framework_1.2.1.201103211802.jar

org.ascape.* 
org.eclipse.amp.*
org.eclipse.dltk.*
org.eclipse.draw3d.*
org.eclipse.emf.eef.*
org.eclipse.emf.java*
org.eclipse.gef3d*
org.eclispe.m2e.*
org.eclipse.mtj*

   org.eclipse.persistence.jpa.jpql_1.0.0.v20110516-r9382.jar
   org.eclipse.persistence.jpa.jpql.source_1.0.0.v20110516-r9382.jar

org.eclipse.stp.sca*
   
   org.jboss.netty_3.2.4.Final-201105171436.jar
Comment 1 David Williams CLA 2011-05-23 02:46:53 EDT 
Created attachment 196306 [details]
full listing of unsigned jars in Indigo RC1 repo
Comment 2 David Williams CLA 2011-05-23 02:56:50 EDT 
As an interesting reference ... I also analyzed Helios SR2 repository. There were about 50 jars there not signed, most from org.eclipse.mtj project. A few of the others look like repeats too ... antenna? jmunit.framework? What's those? There is only one case of "known to not be signable", that I know of, namely commonj.sdo. 

org.eclipse.mtj.*

   de.schlichtherle.truezip_6.6.0.201101310801.jar
   org.eclipse.net4j.spring.db_0.7.1.v200610271244.jar
   jmunit.framework_1.2.1.201101310801.jar
   antenna.preprocessor.v3_1.3.0.201101310801.jar
   org.eclipse.net4j.spring_0.7.1.v200610271244.jar
   javax.persistence_2.0.1.v201006031150.jar
   org.eclipse.jdt.core.compiler.batch.source_3.6.0.N20101020-2000.jar
   org.eclipse.jdt.core.compiler.batch_3.6.0.N20101020-2000.jar
Comment 3 Eike Stepper CLA 2011-05-23 05:16:15 EDT 
(In reply to comment #2)
>    org.eclipse.net4j.spring_0.7.1.v200610271244.jar

That one is (was) strange. Neither our integration build (Indigo) nor our maintenance build (Helios) produces this plugin:

https://hudson.eclipse.org/hudson/job/emf-cdo-integration/lastSuccessfulBuild/artifact/result/site.p2/index.html

https://hudson.eclipse.org/hudson/job/emf-cdo-maintenance/lastSuccessfulBuild/artifact/result/site.p2/index.html
Comment 4 Igor Fedorenko CLA 2011-05-23 11:02:54 EDT 
fyi, signing m2e artifacts is tracked as Bug 339970 and we expect our contribution to be signed from rc2 on.
Comment 5 David Williams CLA 2011-05-23 16:57:17 EDT 
(In reply to comment #3)
> (In reply to comment #2)
> >    org.eclipse.net4j.spring_0.7.1.v200610271244.jar
> 
> That one is (was) strange. Neither our integration build (Indigo) nor our
> maintenance build (Helios) produces this plugin:
> 

It does seem odd ... I checked a recent aggregation log and could not find it mentioned anywhere in the "mirroring ..." messages. The only explanation I can think of how something could "exist" in these signing checks, but not be in the mirroring messages if is it is, somehow, "embedded" inside another jar (because the signing test just works on the file system ... does not actually use p2 to 'get' things. (Even that doesn't really make sense ... just only hint of anything I could think of).  

In the past, we've had things that were inadvertently being "pulled in" to the common repo (by some other project, not the contributor, per se) but I think then they still showed up mirroring messages. 

So, we'll see ... maybe it'll magically disappear in this week's RC2 :)
Comment 6 Eike Stepper CLA 2011-05-23 17:53:53 EDT 
(In reply to comment #5)
> (In reply to comment #3)
> > (In reply to comment #2)
> > >    org.eclipse.net4j.spring_0.7.1.v200610271244.jar

Please also note, how old it is! I remember that it used to be an integration with the Spring Framework which, itself, has never been approved for the release train, IIRC. I have no clue where it comes from or why...
Comment 7 David Williams CLA 2011-05-23 19:37:31 EDT 
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #3)
> > > (In reply to comment #2)
> > > >    org.eclipse.net4j.spring_0.7.1.v200610271244.jar
> 
> Please also note, how old it is! I remember that it used to be an integration
> with the Spring Framework which, itself, has never been approved for the
> release train, IIRC. I have no clue where it comes from or why...

I see I was misunderstanding initially, this unsigned jar was in Helios ... and those logs are gone. I'm not so much worried about helios, except I was looking at projects that were unsigned then, and that are still unsigned in Indigo ... those are indicating a long term problem.
Comment 8 Eike Stepper CLA 2011-05-24 02:25:39 EDT 
(In reply to comment #7)
> > > > >    org.eclipse.net4j.spring_0.7.1.v200610271244.jar
> > 
> > Please also note, how old it is! I remember that it used to be an integration
> > with the Spring Framework which, itself, has never been approved for the
> > release train, IIRC. I have no clue where it comes from or why...
> 
> I see I was misunderstanding initially, this unsigned jar was in Helios ... and
> those logs are gone. I'm not so much worried about helios, except I was looking
> at projects that were unsigned then, and that are still unsigned in Indigo ...
> those are indicating a long term problem.

If you found this jar in Helios I would say there's definitely a long term  problem. Not because it's unsigned but because it was there. The version and the build timestamp indicate that it's way older than Helios, probably from ancient times when CDO and Net4j have not been on the train at all. In addition it's name ("spring") indicates that it is not allowed to be on the train at all because the Spring Framework is not allowed to be on the train. Where exactly have you seen it?
Comment 9 David Williams CLA 2011-05-24 09:07:37 EDT 
> If you found this jar in Helios I would say there's definitely a long term 
> problem. Not because it's unsigned but because it was there. The version and
> the build timestamp indicate that it's way older than Helios, probably from
> ancient times when CDO and Net4j have not been on the train at all. In addition
> it's name ("spring") indicates that it is not allowed to be on the train at all
> because the Spring Framework is not allowed to be on the train. Where exactly
> have you seen it?

I saw it on the file system, where Helios SR2 repository is stored: 

   ~/downloads/releases/helios/201102250900/aggregate/plugins
 
-rw-rw-r-- 1 david_williams callistoadmin 499K 2011-02-23 10:24 org.eclipse.net4j.spring_0.7.1.v200610271244.jar
-rw-rw-r-- 1 david_williams callistoadmin 364K 2011-02-23 10:24 org.eclipse.net4j.spring.db_0.7.1.v200610271244.jar


But, honestly, I wouldn't see this as "a problem" ... at least not one worth spending any time on now. At least as long as it doesn't show up in some other way that impacts users.
Comment 10 Eike Stepper CLA 2011-05-24 12:21:21 EDT 
(In reply to comment #8)
> [...] because the Spring Framework is not allowed to be on the train.

Just for completeness reasons: I found a lot of approved CQs for the Spring Framework now. But this year's train does not seem to ship it.
Comment 11 David Williams CLA 2011-05-26 00:29:21 EDT 
Created attachment 196625 [details]
down to 226 for RC2 ...
Comment 12 David Williams CLA 2011-08-31 16:31:26 EDT 
Just noticed this bug was still open ... but, for Indigo SR1 there is only one showing up as "unsigned", and there is a reason for it, as documented 
in bug 356382
so I'll close this one, and say thanks to all!