[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30280 [Applications/Tor Browser]: Wrong SHA-256 sum for j2objc-annotations-1.1.jar
#30280: Wrong SHA-256 sum for j2objc-annotations-1.1.jar
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile, tbb-rbm, | Actual Points:
TorBrowserTeam201904 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:2 sisbell]:
> If we look at maven central, we see the later 2017 version
>
> http://central.maven.org/maven2/com/google/j2objc/j2objc-annotations/1.1
>
> If we go to ibiblio, we see the earlier 2016 version
> http://maven.ibiblio.org/maven2/com/google/j2objc/j2objc-
annotations/1.1/
>
> So it does look like bintray pulled from ibiblio and then later from
maven central. We don't have any assurances bintray wouldn't switch back
at some point.
>
> My suggestion at this point, is to dump all uses of bintray. There is
nothing stopping someone from overriding artifacts, using this as a back
door. We can point all references directly to maven central and then to
ibiblio in the (unlikely) situation that central doesn't host the
artifact.
Works for me. Could you come up with a patch for that?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30280#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs