Be more lenient about maven .pom dependencies
In !139 (merged) (and related) MRs we encountered issues when the sha256 hash of .pom
files changed. I hit this again for another package.
--2020-12-03 16:00:08-- https://jcenter.bintray.com/com/sun/xml/bind/mvn/jaxb-parent/2.3.1/jaxb-parent-2.3.1.pom
Resolving jcenter.bintray.com (jcenter.bintray.com)... 54.187.47.108, 52.88.32.158, 35.161.162.245, ...
Connecting to jcenter.bintray.com (jcenter.bintray.com)|54.187.47.108|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41072 (40K) [application/content-stream]
Saving to: ‘/home/android/tor-browser-build/tmp/tmp.2kQepb2RaB’
/home/android/tor-browser-build 100%[===============================================================================================================>] 40.11K --.-KB/s in 0.07s
2020-12-03 16:00:09 (586 KB/s) - ‘/home/android/tor-browser-build/tmp/tmp.2kQepb2RaB’ saved [41072/41072]
downloaded_file: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
Error: Error creating gradle-dependencies-4
make: *** [Makefile:123: testbuild] Error 1
real 694m6.533s
user 4004m38.931s
sys 102m40.663s
$ curl https://jcenter.bintray.com/com/sun/xml/bind/mvn/jaxb-parent/2.3.1/jaxb-parent-2.3.1.pom | sha256sum
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 41072 100 41072 0 0 87201 0 --:--:-- --:--:-- --:--:-- 87016
f699ef37ec7966e284742dfca83075221179041a9a49aef7991280192604462d -
Apparently the reason for this is that package metadata can be updated without bumping the package version:
https://www.jfrog.com/confluence/display/BT/Managing+Packages
https://www.jfrog.com/confluence/display/BT/Managing+Versions#ManagingVersions-EditingaVersion
Maybe we should not enforce checking the .pom
hash, and only verify the hash of .jar
and .aar
files. This means we probably want a different file format for describing all gradle dependencies.