[Building Sakai] Wrong or inexistant checksums for some dependencies

Colin Hebert colin.hebert at oucs.ox.ac.uk
Fri Feb 3 09:34:32 PST 2012 

Hello all,

I tried to build sakai using the '---strict-checksums' option in maven
and I had troubles with some dependencies having either a checksum
different than the expected one (from the sha-1 file) or no sha-1 to
verify against.

Most of these dependencies are available on the maven repository at
source.sakaiproject.org/maven2.

Here is a list of the concerned dependencies (affecting my build):

http://source.sakaiproject.org/maven2/batik/batik/1.5-fop-0.20-5/
http://source.sakaiproject.org/maven2/fop/fop/20070301/
http://source.sakaiproject.org/maven2/ical4j/ical4j/1.0-rc2/
http://source.sakaiproject.org/maven2/javax/activation/activation/1.0.2/
http://source.sakaiproject.org/maven2/javax/jms/jms/1.1/
http://source.sakaiproject.org/maven2/javax/mail/mail/1.3.1/
http://source.sakaiproject.org/maven2/javax/transaction/jta/1.0.1B/
http://source.sakaiproject.org/maven2/jsf/jsf-api/1.1.01/
http://source.sakaiproject.org/maven2/jsf/jsf-impl/1.1.01/
http://source.sakaiproject.org/maven2/jta/jta/h2.1.8/
http://source.sakaiproject.org/maven2/net/sf/jsmath/jsmath/3.3g/
http://source.sakaiproject.org/maven2/net/sf/jsmath/jsmath-fonts/1.3/
http://source.sakaiproject.org/maven2/OKI/OkiOSID/2.0/
http://source.sakaiproject.org/maven2/org/apache/commons/xml-resolver/1.2/
http://source.sakaiproject.org/maven2/org/azeckoski/reflectutils/0.9.15/
http://source.sakaiproject.org/maven2/org/opensymphony/quartz/quartz/1.6.6/
http://source.sakaiproject.org/maven2/portlet-api/portlet-api/1.0.1/
http://source.sakaiproject.org/maven2/rome/itunes/0.3/
http://source.sakaiproject.org/maven2/tomcat/catalina/tomcat-5.5.33/
http://source.sakaiproject.org/maven2/tomcat/catalina-optional/tomcat-5.5.33/
http://source.sakaiproject.org/maven2/tomcat/naming-resources/tomcat-5.5.33/
http://source.sakaiproject.org/maven2/tomcat/jmx/tomcat-5.5.33/
http://source.sakaiproject.org/maven2/zing/cql-java/0.7/

There was also one from repo1 (net.sf.json-lib:json-lib:jar:jdk15:2.3).

This could be be fixed to improve security; and for projects without
sha-1 file, it will avoid corrupted downloads.

Cheers,

More information about the sakai-dev mailing list