Re: [cross-project-issues-dev] Signed content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] Signed content

From: Ed Willink <ed.willink@xxxxxxxxx>
Date: Sun, 2 May 2021 11:50:19 +0100
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev/>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1

The QVTd build has just failed [1] with:

java.lang.SecurityException: class "org.eclipse.core.runtime.RegistryFactory"'s signer information does not match signer information of other classes in the same package

This has happened a few times before [2], [4].

The problem was always that a split package had only been partially rebuilt and so was inconsistently signed.

The specific bad build was fixed, but the stretch bug [3] of guaranteeing a rebuild of the split package ensemble remains outstanding.

This looks like the same problem again, but may be the new don't sign policy has rippled, so I'll defer raising another Bugzilla pending discussion here.

Regards

Ed Willink

[1] https://ci.eclipse.org/qvtd/job/qvtd-master/377/display/redirect

[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=267150

[3] https://bugs.eclipse.org/bugs/show_bug.cgi?id=466991

[4] https://bugs.eclipse.org/bugs/show_bug.cgi?id=531640

On 02/05/2021 09:10, Ed Merks wrote:

Hi,

I am assume from observation that the platform team has decided to change its signing policy to not physically sign some jars anymore:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.20-I-builds/index.html

This of course propagates to SimRel:

https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/staging/2021-06/index.html

I don't recall a Planning Council policy decision to drop/change the need for signed jars. I don't know the full impact this has on the installer nor on consumers. The installer at least appears to happily install such things and the IDE presents such things to the user as if they are signed:

Slowly I get the feeling that SimRel is a no longer process where we all work together as a team. Rather it feels as if the platform team can and does unilaterally make decisions for everyone else.

Regards,
Ed
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Virus-free. www.avast.com

References:
- [cross-project-issues-dev] Signed content
  - From: Ed Merks

Prev by Date: [cross-project-issues-dev] Signed content
Next by Date: Re: [cross-project-issues-dev] [platform-dev] Signed content
Previous by thread: [cross-project-issues-dev] Signed content
Next by thread: Re: [cross-project-issues-dev] [platform-dev] Signed content
Index(es):
- Date
- Thread

Breadcrumbs