| Summary: | at least 4 bundles (with nested jars) can not be "unpacked" with Java 7 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Technology] CBI | Reporter: | David Williams <david_williams> | ||||
| Component: | CBI p2 Repository Aggregator | Assignee: | Project Inbox <b3.aggregator-inbox> | ||||
| Status: | RESOLVED DUPLICATE | QA Contact: | |||||
| Severity: | normal | ||||||
| Priority: | P3 | CC: | thomas | ||||
| Version: | unspecified | ||||||
| Target Milestone: | --- | ||||||
| Hardware: | PC | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Attachments: |
|
||||||
|
Description
David Williams
Hmm, I checked org.apache.ant, version v20110505-1300, in the cvs repository, and it _does_ have an eclipse.inf file, with jarprocessor.exclude.children.sign=true I think this might be an aggregator "verify" bug ... like its verifying too much. While these bundles are flagged as having "tampered" content ... I think that it should not be checking the nested jars. I looked at the apache.ant jar, and pack.gz file in detail. As mentioned, it does have jarprocessor.exclude.children.sign=true in its eclipse.inf. I could unpack200 the pack.gz version (with not errors) and then ran java's jarsigner -verify and the jar verified ok. It did say Warning: This jar contains unsigned entries which have not been integrity-checked. ... but, no error. If I recall, the aggregator uses some OSGi security function to check these jars ... maybe that's where the bug is? But ... thought I'd start with aggregator. These jars could be downloaded one by one from http://download.eclipse.org/tools/orbit/downloads/drops/S20111201180206/ such as from clicking on the table, http://www.eclipse.org/downloads/download.php?r=1&file=/tools/orbit/downloads/drops/S20111201180206/repository/plugins/org.apache.ant_1.8.2.v20110505-1300.jar and with a little manual intervention http://www.eclipse.org/downloads/download.php?r=1&file=/tools/orbit/downloads/drops/S20111201180206/repository/plugins/org.apache.ant_1.8.2.v20110505-1300.jar.pack.gz I've experienced similar problems (nested jars failing) and discovered that this was caused by using Java 7. This is reported in bug 361628. Could this be related to that bug? Please elaborate how you think the aggregator can be improved to handle this situation. The aggregator uses p2 to unpack and it doesn't have any checking of it's own. The only difference between the aggregator and the IDE installer is that installer silently ignores errors in pack.gz files if it can fall back on the jar. I have confirmed, that "moving back" to Java 6 allowed the aggregation to succeed just fine ... so, agree, this is a Java 7 issue and dup of bug 361628. Thanks for the pointer. *** This bug has been marked as a duplicate of bug 361628 *** [Bookkeeping change only. Moving bugs to the new "home" of aggregator, CBI. No change to assignee for resolved and verified bugs.] |