Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T tor-browser-build
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 207
    • Issues 207
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 10
    • Merge requests 10
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Applications
  • tor-browser-build
  • Issues
  • #40163

Closed
Open
Created Dec 03, 2020 by Matthew Finkel@sysrqbMaintainer

Be more lenient about maven .pom dependencies

In !139 (merged) (and related) MRs we encountered issues when the sha256 hash of .pom files changed. I hit this again for another package.

--2020-12-03 16:00:08--  https://jcenter.bintray.com/com/sun/xml/bind/mvn/jaxb-parent/2.3.1/jaxb-parent-2.3.1.pom                                                                                         
Resolving jcenter.bintray.com (jcenter.bintray.com)... 54.187.47.108, 52.88.32.158, 35.161.162.245, ...
Connecting to jcenter.bintray.com (jcenter.bintray.com)|54.187.47.108|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41072 (40K) [application/content-stream]   
Saving to: ‘/home/android/tor-browser-build/tmp/tmp.2kQepb2RaB’                                                                                                            
                       
/home/android/tor-browser-build 100%[===============================================================================================================>]  40.11K  --.-KB/s    in 0.07s
                     
2020-12-03 16:00:09 (586 KB/s) - ‘/home/android/tor-browser-build/tmp/tmp.2kQepb2RaB’ saved [41072/41072]
                
downloaded_file: FAILED                      
sha256sum: WARNING: 1 computed checksum did NOT match             
Error: Error creating gradle-dependencies-4
make: *** [Makefile:123: testbuild] Error 1
                               
real    694m6.533s          
user    4004m38.931s
sys     102m40.663s
$ curl https://jcenter.bintray.com/com/sun/xml/bind/mvn/jaxb-parent/2.3.1/jaxb-parent-2.3.1.pom | sha256sum                               
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed                                                                                                                             
100 41072  100 41072    0     0  87201      0 --:--:-- --:--:-- --:--:-- 87016
f699ef37ec7966e284742dfca83075221179041a9a49aef7991280192604462d  - 

Apparently the reason for this is that package metadata can be updated without bumping the package version:

https://www.jfrog.com/confluence/display/BT/Managing+Packages

https://www.jfrog.com/confluence/display/BT/Managing+Versions#ManagingVersions-EditingaVersion

Maybe we should not enforce checking the .pom hash, and only verify the hash of .jar and .aar files. This means we probably want a different file format for describing all gradle dependencies.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking