-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The ancient org.apache.commons.beanutils 1.8.0.v201205091237 bundles are seen as unsigned #870
Comments
I just see this one but can't find beanutils 1.9.4 in latest Orbit https://download.eclipse.org/tools/orbit/downloads/drops/S20230214193619/repository/plugins/ . I think we should go for 1.9.4 from Maven central as 1.8.0 has https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 . The choice between Orbit and Maven Central looks easy if beanutils 1.9.4 is not in Orbit. |
Multiple CVEs are fixed compared to 1.8.0 used and it removes one more dependency from ancient Orbit that had to special treated to get signed. Tracked in eclipse-platform#870
@merks Now I'm really puzzled. Open https://download.eclipse.org/eclipse/downloads/drops4/I20230215-1800/buildlogs/reporeports/reports/verified8.txt look for beanutils and see:
I try to keep an eye on these reports from time to time and it seems fine. Is the oomph or the p2repo-analyzers broken? If it's the p2repo-analyzers I would rather remove it directly as its implementation just doesn't create files in some cases which makes looking at results quite awkward. |
On my machine:
But it still says "jar verified". |
Unfortunately the results often depend on exactly which version of Java 17 (or 11) is being used. The cacerts are different in latest (very recent) LTS versions and even the algorithms and date ranges that the algorithm is "valid" varies. 😢 |
Multiple CVEs are fixed compared to 1.8.0 used and it removes one more dependency from ancient Orbit that had to special treated to get signed. Tracked in #870
@merks So what about p2repo-analyzer signing checks? Should they be kept? |
I did add support that it uses Equinox's SignedContentFactory so I think the test is the same being used in the report generator, but one difference here is that the report generator uses the installer which bundles the latest Termurin version and hence the test for sure uses the JRE that will be used in SimRel. I don't know exactly which version is being used by the I-Build... Perhaps it would be better if the p2repo-analyzer built a product that include a JustJ JRE to ensure that the test runs with the same JRE that's used by SimRel? Where exactly does this test get invoked by the build? |
It's https://github.com/eclipse-platform/eclipse.platform.releng/blob/master/bundles/org.eclipse.releng.tests/src/org/eclipse/releng/tests/BuildTests.java#L330 which simply inspects the content of the reports generated by p2repo-analyzers. |
Here's where it's generated and it uses some VM explicitly: eclipse.platform.releng.aggregator/cje-production/mbscripts/mb500_createRepoReports.sh Line 38 in 4625620
|
Shall I include JustJ 17 latest in org.eclipse.cbi.p2repo.analyzers.product and then remove the -vm argument from this script? I'll have to remember to rebuilt it when a new Java 17 comes out to keep it up-to-date... The JVM installed on the machines often lags quite a bit... |
I leave this to you about how to improve the situation. |
This is a Temurin-derived JRE and is same JRE that is used with all the SimRel products. Using this URL avoids rate limits that often affect direct Temurin JREs. eclipse-platform#870
This is a Temurin-derived JRE and is same JRE that is used with all the SimRel products. Using this URL avoids rate limits that often affect direct Temurin JREs. #870
So now jdom is claimed to be unsigned https://download.eclipse.org/eclipse/downloads/drops4/I20230219-0600/buildlogs/reporeports/reports/unsigned8.txt . Is your tool reporting it too? |
No. This issue was masked by the fact that the staging repository is loaded loaded first by my testing and it PGP signs this artifact: Since staging has it's own report generated https://download.eclipse.org/staging/2023-03/buildInfo/archive/download.eclipse.org/staging/2023-03/ I've reduce the other job to test just the platform's I-Build which produces this same problem report now: I'll spend a few minutes to see if there is a newer jdom, but I don't think so. Otherwise I'll add these to the force PGP signing list.... |
Thanks! |
There is this version, also quite ancient, but it has no OSGi metadata: |
We'll have to wait for the next I-Build to see that I've corrected the problem. On the plus side, it's very nice to see that the changes I made to test using the latest Temurin Java 17 helped to uncover this problem which otherwise would very likely have gone unnoticed. |
@merks Latest failure https://ci.eclipse.org/releng/job/Builds/job/I-build-4.27/139/console makes me think about this one as it fails specifically about xpath which is how jdom comes into play. |
That seems to be the topic of this issue: eclipse-platform/eclipse.platform.ui.tools#31 We have not changed the jdom dependency (version) at all so it can't be related to that... |
Currently the aggregator build suffers from the fact that it can't run parallel (last time i tried there where some failures in tests ant scripts), the other one is API tool checks (that's worked on at eclipse-tycho/tycho#1328) that are currently slow down a lot of things. So if we can get the build running with |
@laeubi what about the actual build failure in https://ci.eclipse.org/releng/job/Builds/job/I-build-4.27/139/console ? |
Note that the actual build problem is that the missing bundle was accidentally deleted! |
The latest I-build shows org.jdom is PGP signed. |
This test shows the failures:
https://ci.eclipse.org/oomph/job/repository-analyzer/lastCompletedBuild/testReport/
It's reported here:
https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.27-I-builds/index.html
Specifically this:
This is a regression caused by this change:
#773
I'm not sure how removing one Orbit dependency but adding two other Orbit dependencies was an improvement.
@akurtakov
We should either revert that, force PGP sign these things here:
eclipse.platform.releng.aggregator/eclipse.platform.releng.tychoeclipsebuilder/pom.xml
Lines 45 to 66 in 7538dfb
Or use this newer version if possible:
https://download.eclipse.org/staging/2023-03/buildInfo/archive/download.eclipse.org/staging/2023-03/index/org.apache.commons.commons-beanutils_1.9.4.html
I'm mostly unavailable today and tomorrow...
The text was updated successfully, but these errors were encountered: