The ancient org.apache.commons.beanutils 1.8.0.v201205091237 bundles are seen as unsigned

[merks]

This test shows the failures:

https://ci.eclipse.org/oomph/job/repository-analyzer/lastCompletedBuild/testReport/

It's reported here:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.27-I-builds/index.html

Specifically this:

This is a regression caused by this change:

#773

I'm not sure how removing one Orbit dependency but adding two other Orbit dependencies was an improvement.

@akurtakov

We should either revert that, force PGP sign these things here:

eclipse.platform.releng.aggregator/eclipse.platform.releng.tychoeclipsebuilder/pom.xml

Lines 45 to 66 in 7538dfb

	<configuration>
	<keyname>b6d3ab9bcc641282</keyname>
	<skipIfJarsigned>true</skipIfJarsigned>
	<forceSignature>
	<bundle>bcpg</bundle>
	<bundle>bcprov</bundle>
	<bundle>com.sun.el.javax.el.source</bundle>
	<bundle>com.sun.el.javax.el</bundle>
	<bundle>javax.el-api.source</bundle>
	<bundle>javax.el-api</bundle>
	<bundle>org.apache.commons.codec.source</bundle>
	<bundle>org.apache.commons.codec</bundle>
	<bundle>org.apache.commons.jxpath.source</bundle>
	<bundle>org.apache.commons.jxpath</bundle>
	<bundle>org.apache.jasper.glassfish.source</bundle>
	<bundle>org.apache.jasper.glassfish</bundle>
	<bundle>org.glassfish.web.javax.servlet.jsp.source</bundle>
	<bundle>org.glassfish.web.javax.servlet.jsp</bundle>
	<bundle>org.w3c.dom.smil.source</bundle>
	<bundle>org.w3c.dom.smil</bundle>
	</forceSignature>
	</configuration>

Or use this newer version if possible:

https://download.eclipse.org/staging/2023-03/buildInfo/archive/download.eclipse.org/staging/2023-03/index/org.apache.commons.commons-beanutils_1.9.4.html

I'm mostly unavailable today and tomorrow...

[akurtakov]

I just see this one but can't find beanutils 1.9.4 in latest Orbit https://download.eclipse.org/tools/orbit/downloads/drops/S20230214193619/repository/plugins/ . I think we should go for 1.9.4 from Maven central as 1.8.0 has https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 . The choice between Orbit and Maven Central looks easy if beanutils 1.9.4 is not in Orbit.

[akurtakov]

@merks Now I'm really puzzled. Open https://download.eclipse.org/eclipse/downloads/drops4/I20230215-1800/buildlogs/reporeports/reports/verified8.txt look for beanutils and see:

org.apache.commons.beanutils.source_1.8.0.v201205091237.jar                                  plugin       jar verified (jarsigner)
org.apache.commons.beanutils_1.8.0.v201205091237.jar                                         plugin       jar verified (jarsigner)

I try to keep an eye on these reports from time to time and it seems fine. Is the oomph or the p2repo-analyzers broken? If it's the p2repo-analyzers I would rather remove it directly as its implementation just doesn't create files in some cases which makes looking at results quite awkward.

[akurtakov]

On my machine:

/usr/lib/jvm/java-17/bin/jarsigner -verify org.apache.commons.beanutils_1.8.0.v201205091237.jar 

jar verified.

Warning: 
This jar contains entries whose TSA certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The SHA-1 timestamp digest algorithm is considered a security risk. This algorithm will be disabled in a future update.

Re-run with the -verbose and -certs options for more details.

But it still says "jar verified".

[merks]

Unfortunately the results often depend on exactly which version of Java 17 (or 11) is being used. The cacerts are different in latest (very recent) LTS versions and even the algorithms and date ranges that the algorithm is "valid" varies. 😢

[akurtakov]

@merks So what about p2repo-analyzer signing checks? Should they be kept?

[merks]

I did add support that it uses Equinox's SignedContentFactory so I think the test is the same being used in the report generator, but one difference here is that the report generator uses the installer which bundles the latest Termurin version and hence the test for sure uses the JRE that will be used in SimRel. I don't know exactly which version is being used by the I-Build...

Perhaps it would be better if the p2repo-analyzer built a product that include a JustJ JRE to ensure that the test runs with the same JRE that's used by SimRel? Where exactly does this test get invoked by the build?

[akurtakov]

It's https://github.com/eclipse-platform/eclipse.platform.releng/blob/master/bundles/org.eclipse.releng.tests/src/org/eclipse/releng/tests/BuildTests.java#L330 which simply inspects the content of the reports generated by p2repo-analyzers.

[merks]

Here's where it's generated and it uses some VM explicitly:

eclipse.platform.releng.aggregator/cje-production/mbscripts/mb500_createRepoReports.sh

Line 38 in 4625620

$report_app_dir/p2analyze/p2analyze -data $CJE_ROOT/$TMP_DIR/workspace-report -vm $JAVA_HOME/bin -vmargs -Xmx1g \

[merks]

@akurtakov

Shall I include JustJ 17 latest in org.eclipse.cbi.p2repo.analyzers.product and then remove the -vm argument from this script? I'll have to remember to rebuilt it when a new Java 17 comes out to keep it up-to-date... The JVM installed on the machines often lags quite a bit...

[akurtakov]

I leave this to you about how to improve the situation.

[akurtakov]

So now jdom is claimed to be unsigned https://download.eclipse.org/eclipse/downloads/drops4/I20230219-0600/buildlogs/reporeports/reports/unsigned8.txt . Is your tool reporting it too?
The releng test complains too https://download.eclipse.org/eclipse/downloads/drops4/I20230219-1800/testresults/html/org.eclipse.releng.tests_ep427I-unit-cen64-gtk3-java17_linux.gtk.x86_64_17.html

[merks]

No. This issue was masked by the fact that the staging repository is loaded loaded first by my testing and it PGP signs this artifact:

Since staging has it's own report generated

https://download.eclipse.org/staging/2023-03/buildInfo/archive/download.eclipse.org/staging/2023-03/

I've reduce the other job to test just the platform's I-Build which produces this same problem report now:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.27-I-builds/index.html

I'll spend a few minutes to see if there is a newer jdom, but I don't think so. Otherwise I'll add these to the force PGP signing list....

[akurtakov]

Thanks!

[merks]

There is this version, also quite ancient, but it has no OSGi metadata:

https://repo1.maven.org/maven2/org/jdom/jdom/1.1.3/

[merks]

We'll have to wait for the next I-Build to see that I've corrected the problem. On the plus side, it's very nice to see that the changes I made to test using the latest Temurin Java 17 helped to uncover this problem which otherwise would very likely have gone unnoticed.

[akurtakov]

@merks Latest failure https://ci.eclipse.org/releng/job/Builds/job/I-build-4.27/139/console makes me think about this one as it fails specifically about xpath which is how jdom comes into play.
@laeubi maybe you can help here too so we can get a build out faster?

[merks]

That seems to be the topic of this issue:

eclipse-platform/eclipse.platform.ui.tools#31

We have not changed the jdom dependency (version) at all so it can't be related to that...

[laeubi]

Currently the aggregator build suffers from the fact that it can't run parallel (last time i tried there where some failures in tests ant scripts), the other one is API tool checks (that's worked on at eclipse-tycho/tycho#1328) that are currently slow down a lot of things.

So if we can get the build running with -T1C this should already reduce the time a lot, the API tools mojo will hopefully improve the whole things even more. Then with enabling the smartbuilder build can also improve the build times.

[akurtakov]

@laeubi what about the actual build failure in https://ci.eclipse.org/releng/job/Builds/job/I-build-4.27/139/console ?

[merks]

Note that the actual build problem is that the missing bundle was accidentally deleted!

eclipse-platform/eclipse.platform.ui.tools#31 (comment)

[merks]

The latest I-build shows org.jdom is PGP signed.

https://download.eclipse.org/oomph/archive/reports-extra/4.27-I0230220-1800/download.eclipse.org/eclipse/updates/4.27-I-builds/I20230220-1800/index/org.jdom_1.1.1.v201101151400.html