[tor-bugs] #30280 [Applications/Tor Browser]: Wrong SHA-256 sum for j2objc-annotations-1.1.jar

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 25 05:54:22 UTC 2019


#30280: Wrong SHA-256 sum for j2objc-annotations-1.1.jar
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, tbb-rbm,                 |  Actual Points:
  TorBrowserTeam201904, tbb-8.5-must             |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sisbell):

 Replying to [comment:4 gk]:
 > Replying to [comment:2 sisbell]:
 > > If we look at maven central, we see the later 2017 version
 > >
 > > http://central.maven.org/maven2/com/google/j2objc/j2objc-
 annotations/1.1
 > >
 > > If we go to ibiblio, we see the earlier 2016 version
 > > http://maven.ibiblio.org/maven2/com/google/j2objc/j2objc-
 annotations/1.1/
 > >
 > > So it does look like bintray pulled from ibiblio and then later from
 maven central. We don't have any assurances bintray wouldn't switch back
 at some point.
 > >
 > > My suggestion at this point, is to dump all uses of bintray. There is
 nothing stopping someone from overriding artifacts, using this as a back
 door. We can point all references directly to maven central and then to
 ibiblio in the (unlikely) situation that central doesn't host the
 artifact.
 >
 > Works for me. Could you come up with a patch for that?
 Yes working on that now. Almost all artifacts from bintray are located in
 maven central. But it looks like a few artifacts are only located in
 https://repo.spring.io/plugins-release/ so that will be another repo we
 will directly point at. I'll also need to update the documentation since
 this is an extra step we will need to take when generating dependencies.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30280#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list