Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SHA-1's of Maven and GitHub jars don't match #83

Closed
Ubehebe opened this issue Dec 19, 2018 · 1 comment
Closed

SHA-1's of Maven and GitHub jars don't match #83

Ubehebe opened this issue Dec 19, 2018 · 1 comment

Comments

@Ubehebe
Copy link

Ubehebe commented Dec 19, 2018

$ for jar in \
  "https://search.maven.org/remotecontent?filepath=com/google/re2j/re2j/1.2/re2j-1.2.jar" \
  "https://github.com/google/re2j/releases/download/re2j-1.2/re2j-1.2.jar"; do \
  curl -Ls "$jar" | shasum; done                                                                         
4361eed4abe6f84d982cbb26749825f285996dd2  -
499d5e041f962fefd0f245a9325e8125608ebb54  -

After extracting the jars and doing a recursive diff, I get:

$ diff -r maven/META-INF/MANIFEST.MF github/META-INF/MANIFEST.MF
1a2,5
> Archiver-Version: Plexus Archiver
> Built-By: sjr
> Created-By: Apache Maven 3.5.0
> Build-Jdk: 1.8.0_151
Only in github/META-INF: maven
Binary files maven/com/google/re2j/Matcher.class and github/com/google/re2j/Matcher.class differ
Binary files maven/com/google/re2j/Parser$1.class and github/com/google/re2j/Parser$1.class differ
Binary files maven/com/google/re2j/Parser$Pair.class and github/com/google/re2j/Parser$Pair.class differ
Binary files maven/com/google/re2j/Parser$Stack.class and github/com/google/re2j/Parser$Stack.class differ
Binary files maven/com/google/re2j/Parser$StringIterator.class and github/com/google/re2j/Parser$StringIterator.class differ
Binary files maven/com/google/re2j/Parser.class and github/com/google/re2j/Parser.class differ
Binary files maven/com/google/re2j/RE2$1.class and github/com/google/re2j/RE2$1.class differ
Binary files maven/com/google/re2j/RE2$10.class and github/com/google/re2j/RE2$10.class differ
Binary files maven/com/google/re2j/RE2$2.class and github/com/google/re2j/RE2$2.class differ
Binary files maven/com/google/re2j/RE2$3.class and github/com/google/re2j/RE2$3.class differ
Binary files maven/com/google/re2j/RE2$4.class and github/com/google/re2j/RE2$4.class differ
Binary files maven/com/google/re2j/RE2$5.class and github/com/google/re2j/RE2$5.class differ
Binary files maven/com/google/re2j/RE2$6.class and github/com/google/re2j/RE2$6.class differ
Binary files maven/com/google/re2j/RE2$7.class and github/com/google/re2j/RE2$7.class differ
Binary files maven/com/google/re2j/RE2$8.class and github/com/google/re2j/RE2$8.class differ
Binary files maven/com/google/re2j/RE2$9.class and github/com/google/re2j/RE2$9.class differ
Binary files maven/com/google/re2j/RE2.class and github/com/google/re2j/RE2.class differ
Binary files maven/com/google/re2j/Regexp$1.class and github/com/google/re2j/Regexp$1.class differ
Binary files maven/com/google/re2j/Regexp$Op.class and github/com/google/re2j/Regexp$Op.class differ
Binary files maven/com/google/re2j/Regexp.class and github/com/google/re2j/Regexp.class differ

Doing a sample decompilation of corresponding class files:

$ diff <(javap maven/com/google/re2j/Matcher.class) <(javap github/com/google/re2j/Matcher.class)
9a10
>   public int start(java.lang.String);
10a12
>   public int end(java.lang.String);
12a15
>   public java.lang.String group(java.lang.String);

So the GitHub jar has some APIs that the Maven jar doesn't. I also confirmed this via the Maven source jar for 1.2.

Hopefully this is just a hiccup in the release process (I notice the prior release was from 2015). Can someone double-check my work, verify that nothing serious is going on here, and possibly re-publish one or both artifacts? Thanks!

Ubehebe added a commit to Ubehebe/grpc-java that referenced this issue Dec 19, 2018
the fundamental issue is that the sha-1 sums for the github and maven
jars for re2j are different. (see
google/re2j#83 for discussion.) the sha used
at grpc-java head corresponds to the github jar, but the target itself
refers to the maven jar.

the reason no one has noticed is that @com_google_re2j//jar is not
actually used as a dependency in any bazel target in this repo. this
will change once the services/ directory becomes a bazel package. (the
source files in services/ do depend on re2j.)
carl-mastrangelo pushed a commit to grpc/grpc-java that referenced this issue Dec 19, 2018
the fundamental issue is that the sha-1 sums for the github and maven
jars for re2j are different. (see
google/re2j#83 for discussion.) the sha used
at grpc-java head corresponds to the github jar, but the target itself
refers to the maven jar.

the reason no one has noticed is that @com_google_re2j//jar is not
actually used as a dependency in any bazel target in this repo. this
will change once the services/ directory becomes a bazel package. (the
source files in services/ do depend on re2j.)
@sjamesr
Copy link
Contributor

sjamesr commented Jul 23, 2019

This is fixed now, sorry for the delay. The github copies of RE2/J 1.2 now match the ones in Maven Central and JCenter.

@sjamesr sjamesr closed this as completed Jul 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants