Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong checksums in module.json (2.15.0, 2.15.1) #1028

Closed
hboutemy opened this issue May 18, 2023 · 8 comments
Closed

Wrong checksums in module.json (2.15.0, 2.15.1) #1028

hboutemy opened this issue May 18, 2023 · 8 comments
Milestone
2.15.2

Comments

@hboutemy
Copy link

hboutemy commented May 18, 2023
edited
Loading

check:

$ for v in 2.14.3 2.15.0-rc1 2.15.0-rc2 2.15.0-rc3 2.15.0 2.15.1 ; do
  base="https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/$v"
  echo "$v: $base"
  curl -s $base/jackson-core-$v.module | grep md5 | tail -1
  curl -s $base/jackson-core-$v.jar | md5sum
done

gives following results:

2.14.3: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.14.3
          "md5": "abb25b80cda20ddc2cd3bbd8fccd0d34"
abb25b80cda20ddc2cd3bbd8fccd0d34  -
2.15.0-rc1: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0-rc1
          "md5": "f025e63d6acf12f6ab7a9395b2e7839f"
22a62f740a8ae4d18f92fd046d430c33  -
2.15.0-rc2: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0-rc2
          "md5": "2fa06351c3e0b189188ea52dd6bed370"
ba468eaacf916f088c5416d2a78ddbc1  -
2.15.0-rc3: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0-rc3
          "md5": "7ce0e69a172f3fc5fdbe17084d41db7"
9880100f0b6076fe1f405182a93b4bb0  -
2.15.0: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.0
          "md5": "6791b06af1f5268de81b4002e2e5753b"
884fa0e39483933acc1168184c002bb9  -
2.15.1: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.15.1
          "md5": "a01d167430c8ccd5635ce0a74c5a7e30"
48a8701b4f142e2fe3b8cae07a2af4d2  -

checksum in module.json was ok in 2.14.3 (and previously: I checked older releases), but since early 2.15 rc, it's broken

looking at build output:

[INFO] --- moditect-maven-plugin:1.0.0.Final:add-module-info (add-module-infos) @ jackson-core ---
[INFO] 
[INFO] --- gradle-module-metadata-maven-plugin:0.4.0:gmm (default) @ jackson-core ---
[INFO] 
[INFO] --- maven-shade-plugin:3.4.1:shade (shade-jackson-core) @ jackson-core ---
...
[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /var/maven/app/target/jackson-core-2.15.1.jar with /var/maven/app/target/jackson-core-2.15.1-shaded.jar

need to switch order between shade and gmm goals as gmm does not fingerprint the jar file that is published = the shaded one
@hboutemy
Copy link
Author

notice: bug found while checking Reproducible Builds https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/com/fasterxml/jackson/core/README.md
now that the jar itself is reproducible (after FasterXML/oss-parent#75 ), this new issue becomes more visible

@hboutemy
Copy link
Author

fix is simply about changing order of 2 plugins in pom.xml https://github.com/FasterXML/jackson-core/blob/2.16/pom.xml#L163

@hboutemy hboutemy mentioned this issue May 18, 2023
Merged
@pjfanning pjfanning mentioned this issue May 18, 2023
Merged
@cowtowncoder cowtowncoder changed the title BUG: wrong checksums in module.json from 2.15.0-rc1 to 2.15.1 Wrong checksums in module.json (2.15.0, 2.15.1) May 18, 2023
cowtowncoder added a commit that referenced this issue May 18, 2023
@cowtowncoder
Manual merge of #1028 into 2.16
b6735e3
@cowtowncoder
Copy link
Member

Merged the fix -- help with verification would be much appreciated.

One question: it looks like maven-jar-plugin comes after GMM plugin; is that problematic? I assume not (checksum only on classes?), but wanted to ask since I think some artifacts are still modified after it.

cowtowncoder added a commit that referenced this issue May 18, 2023
@cowtowncoder
Manual merge of pom.xml changes wrt #1028 to master as well
8223147
@cowtowncoder cowtowncoder added this to the 2.15.2 milestone May 18, 2023
@hboutemy
Copy link
Author

@cowtowncoder mvn buildplan:list is your friend to easily see the build plan without executing it

it gives now

package                | maven-jar-plugin                    | 3.3.0       | jar               | default-jar           
process-resources      | moditect-maven-plugin               | 1.0.0.Final | add-module-info   | add-module-infos      
package                | maven-shade-plugin                  | 3.4.1       | shade             | shade-jackson-core    
package                | gradle-module-metadata-maven-plugin | 0.4.0       | gmm               | default               
package                | maven-site-plugin                   | 3.12.1      | attach-descriptor | attach-descriptor     
package                | find-and-replace-maven-plugin       | 1.1.0       | find-and-replace  | exec                  
install                | maven-install-plugin                | 3.1.0       | install           | default-install

everything looks fine:

  • jar creates the original jar
  • moditect add a module info to the jar
  • shades replaces the jar with a shaded one
  • gmm creates the Gradle module.json that references the previous jar (that won't be modified any more)
  • site attach descriptor
  • find-and-reploace updates the pom files that will be pushed to Central: given it has not been fingerprinted by gmm, it's ok to do it here

@hboutemy hboutemy mentioned this issue May 20, 2023
Open
@hboutemy
Copy link
Author

(notice: I see that the phase column in buildplan:list is sometimes wrong, but that has no impact, the order is the effective one, it's just the guessing of why execution happens that is a little buggy: while at it, issue opened mojohaus/buildplan-maven-plugin#183 )

@cowtowncoder
Copy link
Member

@hboutemy Thanks. It is good to get verification since I do not think I can necessarily validate that any given ordering is correct wrt processing (do not know the parts intimately enough to have strong opinion).

@hboutemy
Copy link
Author

hboutemy commented Jun 2, 2023

FYI, I was able to reproduce Jackson-core 2.15.2 https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/com/fasterxml/jackson/core/README.md (will be updated tonight)

what a great result!

other artifacts have some unexpected small issues, I'll continue to investigate

@cowtowncoder
Copy link
Member

@hboutemy Thank you for verifying jackson-core! Looking forward to reports on remaining issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.15.2
Development

No branches or pull requests
2 participants
@cowtowncoder @hboutemy